selinux-knowledge-patch
SELinux Knowledge Patch
Covers SELinux policy development features added after Claude's training cutoff.
Baseline knowledge: SELinux modes (enforcing/permissive/disabled), security contexts (user:role:type:level), booleans (setsebool/getsebool), basic policy management (semanage, semodule, restorecon), and audit2allow.
Quick Reference: CIL vs Kernel Policy Language
CIL (Common Intermediate Language) replaces M4-based .te/.if/.fc policy modules with S-expression syntax:
| Kernel Policy | CIL Equivalent | Notes |
|---|---|---|
attribute |
typeattribute |
Declares a type attribute |
typeattribute |
typeattributeset |
Assigns types to an attribute |
attribute_role |
roleattribute |
Declares a role attribute |
allow |
allow |
Same syntax, S-expression form |
module / require |
block / blockinherit |
Namespacing replaces module system |
CIL eliminates M4 macro dependency and module load-ordering requirements.
CIL Policy Basics
CIL uses (block ...) for namespacing — all declarations inside a block are scoped:
(block myapp
(type process)
(type data)
(role app_r)
(roletype app_r process)
(allow process data (file (read write open getattr)))
)
Types are referenced across blocks as blockname.typename (e.g., myapp.process).
Block Inheritance
Blocks can inherit from other blocks, replacing the M4 template/interface pattern:
(block base_app
(type process)
(type data)
)
(block webapp
(blockinherit base_app)
;; webapp.process and webapp.data now exist
(allow process data (file (read write)))
)
Access Rule Syntax
CIL access rules group permissions by object class in S-expressions:
;; Single class, multiple permissions
(allow src_t tgt_t (file (read write open getattr)))
;; Multiple classes in one rule
(allow src_t tgt_t (file (read write)) (dir (search getattr)))
Loading CIL Modules
Compile and load CIL policies directly with semodule — no .pp compilation step:
semodule -i myapp.cil
semodule -r myapp # remove
See references/cil-policy.md for full CIL syntax details and examples.
udica: Container Policy Generator
Generate tailored SELinux policies for containers from their runtime inspection data:
# Inspect running container → generate CIL policy
podman inspect <container_id> | udica my_policy
# Install policy with required template modules
semodule -i my_policy.cil \
/usr/share/udica/templates/{base_container.cil,net_container.cil,home_container.cil}
# Run container with the custom policy
podman run --security-opt label=type:my_policy.process ...
udica parses container JSON for capabilities, mount points, and ports, then combines appropriate CIL template blocks. Works with Podman and Docker.
See references/container-policy.md for template selection and advanced usage.
Kernel Policy Extensions
allowxperm Netlink Message Filtering (kernel >= 6.13)
Extended permissions now support netlink message type filtering. Requires enabling the netlink_xperm policycap:
(policycap netlink_xperm)
Grant base nlmsg permission, then filter by message type hex value:
allow src_t tgt_t : netlink_route_socket nlmsg;
allowxperm src_t tgt_t : netlink_route_socket nlmsg { 0x12 };
Supported socket classes:
| Socket Class | Use Case |
|---|---|
netlink_route_socket |
Route, link, address management |
netlink_tcpdiag_socket |
TCP diagnostic queries |
netlink_xfrm_socket |
IPsec/XFRM policy and state |
netlink_audit_socket |
Audit subsystem control |
Default Object Rules (policy version 27+)
Control which context field (source or target) provides user/role/type/range for newly created objects:
default_user file target;
default_role file source;
default_type file source;
default_range file target low;
The low, high, or low_high qualifier on default_range controls which part of the MLS range is used. Applies to file, dir, lnk_file, chr_file, blk_file, sock_file, fifo_file and other object classes that undergo labeling transitions.
See references/kernel-policy-extensions.md for detailed semantics and range qualifier reference.
Reference Files
| File | Contents |
|---|---|
| cil-policy.md | CIL syntax, blocks, inheritance, type/role declarations, access rules |
| container-policy.md | udica container policy generation, templates, Podman/Docker workflow |
| kernel-policy-extensions.md | allowxperm nlmsg rules, default object rules, policycap requirements |
More from nevaberry/nevaberry-plugins
dioxus-knowledge-patch
Dioxus changes since training cutoff (latest: 0.7.4) — Signals replacing use_state, RSX macro overhaul, server functions, asset!() system, dx CLI, Element-as-Result. Load before working with Dioxus.
46rust-knowledge-patch
Rust changes since training cutoff (latest: 1.94.0) \u2014 Rust 2024 Edition, async closures, trait upcasting, new std APIs, cargo resolver v3. Load before working with Rust.
20postgresql-knowledge-patch
PostgreSQL changes since training cutoff (latest: 18.1) — JSON_TABLE, SQL/JSON functions, MERGE RETURNING, virtual generated columns, UUIDv7, temporal PRIMARY KEY. Load before working with PostgreSQL.
16bun-knowledge-patch
Bun changes since training cutoff (latest: 1.3.10) \u2014 S3 client, built-in SQL/Redis, route-based HTTP server, CSS bundler, V8 compatibility. Load before working with Bun.
14nextjs-knowledge-patch
Next.js changes since training cutoff (latest: 16.1) — proxy.ts, \"use cache\", Cache Components, navigation hooks, typed routes, auto PageProps, React 19.2. Load before working with Next.js.
14postgis-knowledge-patch
PostGIS changes since training cutoff (latest: 3.6.1) — SFCGAL CG_* rename, ST_CoverageClean, ST_AsRasterAgg, topology bigint IDs, viewport simplification, 3D SFCGAL ops. Load before working with PostGIS.
13