[Security-sig] PEP 551: Security transparency in the Python runtime

[Christian Heimes]

On 2017-08-25 19:22, Steve Dower wrote:
> Nice. I looked into SELinux and didn't find any docs about how to add
> labels. I'd really like to include links that help people actually
> implement this stuff - any tips?

You can use chcon (change context) to temporarily change the labels of a
file or directory structure. However that is the recommended way to deal
with SELinux labels. Typically SELinux types and labels are either
defined in the system global policy or by additional package policies.
File labels are usually set by rules. This has the advantage that new
files automatically get the right context.

Here is a simplified and partial example for a simple Python
'myservice'. When the service is started by the init system, the process
is automatically transitions into the myservice_exec_t domain.

# file context
/usr/sbin/myservice -- gen_context(system_u:object_r:myservice_exec_t,s0)
/usr/lib/python3.6(/.*)? gen_context(system_u:object_r:python_module_t,s0)

# definitions
type myservice_t;
type myservice_exec_t;
init_daemon_domain(myservice_t, myservice_exec_t)

type python_module_t
files_type(python_module_t)

allow myservice_t python_module_t:file { getattr open read };


We can talk about SELinux during the sprint. If you like either Nick,
Victor, or I could contact some engineers from SELinux (Dan) and Linux
auditing team (Paul, RGB) here at Red Hat.

Christian