TracNav menu

Getting Started

Please see the Download and Install section for instructions to install SLIDE and SLIDE Remote. Once that is done, launch Eclipse and select 'Window -> Open Perspective -> Other...' and select 'SLIDE.'

Working in SLIDE

SLIDE represents information in various views:
  • Policy Explorer

    This view shows only files related to the source of the policy. Double clicking on a module displayed here will open it in the Module Editor. By default, the Policy Explorer displays in the left side-panel of the workspace.

  • Module Editor

    This view provides a tabbed editor with each tab representing a file in the module. The 'Interfaces (.if)' tab edits the .if file, the 'Private Policy (.te)' tab edits the .te file, and the 'File Contexts (.fc)' tab edits the .fc file. By default, the Module Editor displays in the center of the workspace.

  • Interfaces View

    This view shows a list of the modules in the policy and helps to find interfaces. Enter text into the filter to limit the number of interfaces listed. Right click on an interface to add it in currently open module in the Module Editor. By default, this view is on the right side panel of the workspace.

  • Declaration View

    This view shows a description of the interfaces currently highlighted in the Interfaces view or Module Editor. By default, this view is one of the tabs in the bottom panel of the workspace.

  • Console View

    This view shows the output from compiling the policy. By default, this view is one of the tabs in the bottom panel of the workspace.

  • Search View

    This view is a standard Eclipse view that displays the result of any search performed. By default, this view is displayed as one of the tabs in the bottom panel of the workspace when a search is performed.

  • Audit View

    This view displays audit log messages returned by the test machine when using SLIDE Remote, and is useful for debugging policies. By default, this view is displayed as one of the tabs in the bottom panel of the workspace.

Creating a New Project

Select 'File -> New -> SLIDE Project' from the menu. The New SLIDE Project wizard will walk you through the process of creating a new project. The first page prompts for the name, location and type of project.

New project type choices are:

  • Policy Module Project

    This type of project points to installed full Reference Policy source or Reference Policy headers without creating a local copy. Policy headers are typically installed in /usr/share/selinux/refpolicy/include.

  • Full Reference Policy

    With this type of project, the full Reference Policy is copied into the project location, so you can modify the policy to fit your needs. This choice requires the full Reference Policy source code to be installed on your machine.

In most cases, you should select the Policy Module Project.
For both project types, you must specify the location of the Reference Policy or installed policy headers.

For the Full Reference Policy choice, there is an additional screen of advanced options to allow you to skip copying some files that you may not need. For example, special version control files shouldn't be copied.

Creating a New Module



The New Policy Module Wizard helps you to create new modules. Access this wizard by selecting 'File -> New', then 'SLIDE Module.'
  1. Select the project into which you want to add the module (required). By default, the wizard will display the name of the selected project in the Policy Explorer.
  2. Specify a unique name for the new module.
  3. Select the layer (optional if you are working on a module project referencing headers) - either select a layer that already exists or type in a new layer.
  4. Enter a brief summary for the module (required) and the version (required).
  5. The description is optional but should be filled in to help others know what the new module does.

      6. If you press 'Finish' now the wizard will create a mostly empty module files for you. It will only generate the documentation (in correctly formed XML) based on the information entered and update the modules.conf file.
Continue to the next page in the wizard to provide details about the module's purpose, so the wizard can generate a more complete policy template. Select a module type, then expand the dropdowns to show sub-items for a selection. All path values are optional, but if they are left blank, the entry will not be created in the file context (.fc) file. There are three templates from which to choose:
  • Application
    Module for a user launched application process.
  • Daemon
    Module for a daemon process started by init or xinetd.
  • None
    Module with no additional policy created (same as pressing finish button on first screen).
Press Finish to generate the policy template, then use the Module Editor to customize the new policy module.

Creating an Interface

The New Interface wizard helps you to create new interfaces. Start the wizard by right clicking in the 'Interfaces (.if)' tab of the Module Editor and select 'Add Interface...'.
  • Specify the interface name, summary, description (optional) and all interface Parameters (parameters name and description).
  • Press 'Finish' and the wizard generates the 'interface' block at the the end of the file, along with the comments in correctly formed XML.

Changing a Project's Properties

To change a project's properties, right click on the project and select the 'Properties' (or select 'Project -> Properties' from the menu).

  • SLIDE Policy Project
    • Modify project build options and "policy.xml" file location
    • Modify Booleans, Modules, and Tunables properites in GUI editor.
  • SLIDE Header Policy Module Preferences
    • Change Reference Policy headers location and "policy.xml" location

Changing the SLIDE Plugin Preferences

Bring up the SLIDE plugin preferences to set a default location for the Reference Policy source or headers as well as modifying features such as font and colors. To access the plugin preferences, select 'Window -> Preferences' from the menu, then 'SLIDE.'

SLIDE Connection

The Connection option specifies default settings for systems used to test and debug policy. These systems can be remote machines or virtual machines (VMware or other) as long as there is a secure shell server and slideremote running on the target machine.

New Connection 1 New Connection 2 Connection Check

To specify a new test system, press Add and a new connection will be added with default values. To modify these defaults, select the new connection (in our case first one since we only have one connection) and change the values as desired.

NameUnique name for the connection.
RefreshRate at which the connection polls the remote machine for information.
HostIP address or name of the remote machine.
PortThe port number on which SLIDE Remote listens. Do not change this value.
UsernameLogin name to use on the remote machine. The user must have permissions to read log files and manage policy.
PasswordPassword for Username. Leave this field blank to be prompted for the password when the connection is established.
LogFilesPath of the log file(s) to show in the Audit view.

Press Test Connection to verify the settings. Note that slideremote daemon needs to be running on the remote machine for this to work. Any communication problem will be reported.

Testing and Debugging Policy

SLIDE makes it easy to test and debug a policy using either a remote machine or a virtual machine (e.g., VMWare). To use the Policy Test wizard, you must have a working project with either a monolithic or modular build, and your project must compile successfully.

Requirements

  • slideremote must be running on the remote machine on which you are installing policy.
  • The remote machine's policy and project's policy version must match.
  • The remote machine must have an ssh client and allow ssh connections.

To access the Policy Test wizard, right click on the project to test in Policy Explorer and select Run As -> Run... The Run configuration wizard is displayed.

Select Policy Test from the configurations list, then press New at the bottom of left pane.

A new testing configuration is created. Enter Name for this configuration (e.g., MyApp Module Test). Three tabs provide specific information for the configuration:

  • Main - Select the project to test, remote operations to perform, and the connection to use, as follows.
ProjectSelect the project to test from the drop-down list (e.g., header_proj)
Starting DomainSpecify the domain in which to start the test (optional).
ConnectionSelect a connection from the drop-down list. If there are no connections, click on New... to bring up the Prefereces -> Connections dialog and create a new connection. Then select the newly created connection. (e.g., Local Machine 1)
Clear Audit View before deployment If checked, clears the Audit View before launching the test.
Automatically reboot after policy installation If checked, after successful policy installation the remote machine will be rebooted.
Relabel SystemCheck this box if your policy testing requires relabeling the file system.
ApplyWhen finished entering the above values, click Apply - any errors in the configuration will display.
  • Policy – If testing a modular policy build, select the modules to be tested; if testing a monolithic build project, select the policy file and file_contexts file from drop-down boxes. In this example, the project is a modular build so the modules to be tested must be selected.
Add...Click on Add to bring up the Module Selection dialog, which displays the list of modules that have compiled successfully in the project. In this example, the list includes myapp.pp.
ApplyWhen done selecting modules to test, click Apply to display any errors.
  • Test Script - You can specify test scripts to install on the remote machine in /tmp/. These scripts will be executed once policy is installed successfully. Optionally, specify an output file name to which the script's output will be redirected.

Add...Click on Add to select a test script. You can have 0 or more scripts.

Press Apply to verify that all required fields have been filled. If there are no errors, you are ready to launch test.

Audit View

The Audit View displays the audit messages from the remote log files specified for the test connection, and provides sort, filter, and show/hide column functionality to facilitate tracking only messages of interest. The Audit View is independent of project meaning you can work on some project and at the same time use it to analyze audit messages from some audit log files.

To analyze the logs for a working connection, select the connection from the drop-down menu in the Audit View. As new messages are fetched, the summary information will be updated:

  • Total number of messages and the category in which the messages fall (audit, bool, and load)
  • Date range for the messages
  • Connection name with status "Local Machine 1-RUNNING | Local Machine 1-SUSPENDED"

You can specify a filter to limit the types of messages displayed. If you have a filter enabled, the Audit View will show how many messages have been filtered (e.g., "Filter matched 100 of 2333 items"). The Audit View provides options to filter, sort, and show/hide columns. All these options are in the drop-down menu of Audit view.

Filter options include enabling or disabling the filter, setting the maximum number of messages to display, and specifying text or regular expressions that must be matched within the audit messages.
Sorting can be performed either by clicking on a column title or by setting up to four columns as sort criteria in Audit Sort dialog.
Pick columns to be visible by selecting them in Show/Hide Columns dialog.

The SLIDE plugin adds a new tab into the standard Eclipse search dialog to allow you to easily search through the policy for specific types and declarations. The search results display in the standard Eclipse 'Search' view. The search is broken down into three sections:

  • Interface - to search the interface (.if) files.
  • Private Policy - to search the private policy (.te) files.
  • File Context - to search the file context (.fc) files.

Each of these sections has check boxes to select the specific items to include in the search.

Interface

By NameSearch for an interface declaration that contains the text entered.
By SummarySearch the interface summaries for the text entered.
By DescriptionSearch the interface descriptions for the text entered.
Containing TypeSearch through the interfaces for types required that contain the text entered.

Private Policy

Type DeclarationSearch for the declaration of a type that contains the text entered.
Interface CallSearch for a call to an interface containing the text entered.
Access VectorSearch for an access vector containing the text entered.

File Context

UserSearch for file contexts that contain text entered in the user field.
RoleSearch for file contexts that contain text entered in the role field.
TypeSearch for file contexts that contain text entered in the type field.
MCS LevelSearch for file contexts that contain text entered in the mcs field.
Matching PathSearch for file contexts where the path matches a path entered in the text field.
This will find partial path matches, as well as specific paths.