Policy Customizations

The CDS Framework Toolkit provides a comprehensive architecture for most CDS development. However for some CDS architectures, the toolkit may generate policy that must be altered slightly to meet the CDS requirements. For these cases, CDS Framework provides a way to customize the SELinux policy for any CDS Framework policy object.

This means of customizing policy is only meant to be used as a very last resort.

The better options to customize the generated SELinux policy are to create new dictionary entries or to create new base domains, base resources and abilities.

If other customization techniques do not meet the CDS requirements, right click on a domain, resource, entrypoint, access or enter, and select the menu item Add Custom Policy.... The toolkit will create an SELinux policy template and fill it in with the SELinux policy that would be generated by CDS Framework for the object with its current properties. Then the toolkit will open a SLIDE module editor, allowing you to edit the raw SELinux policy.

Once a policy item is customized, all graphical editing features for that policy item are disabled To remove the customizations for the particular policy item, remove the generated template from the custom module.

Base domains or base resources can not be customized as they are links to the base SELinux policy. If the policy for a base domain or resource does not meet requirements, create a new base domain or base resource for the project.

Naming of custom templates

The naming of custom templates follows a standard pattern.

For domains and entrypoints, the template name is 'cds_custom_' followed by the system name and then the domain or entrypoint name.
For resources (and for domains with resource definitions assigned), a template will be created for each resource definition, because each resource type gets a different SELinux type during translation. Each template name follows the format 'cds_custom_' followed by the system name, then the resource name, and finally the name of the resource type.
For an access, the template name follows the format 'cds_custom_access_' followed by the system name, then the domain name, the resource name, and finally the name of the resource type. Similar to resources, multiple templates will be created if multiple resource types are attached to the resource.
For an enter, the template name follows the format 'cds_custom_transition_' followed by the system name, then the source domain name, the target domain name, and finally the name of the entrypoint resource.