Previous Topic: Enable Policy VerificationNext Topic: View the Rules Associated with a Policy


Create a Policy That Defines a Variable

Creating and deploying a policy that defines a variable lets you define the same variable on many endpoints.

To create a policy that defines a variable

  1. Create a script file with selang deployment commands that define the variables. Use the following selang command to define each variable:
    editres ACVAR ("variable_name") value("variable_value")
    
  2. (Optional) Add selang commands that use the variable to the script file.

    Note: You must define each variable in the policy before you refer to it in a subsequent rule in the policy. Use the following format to refer to the variable: "<!variable>"

  3. Store the policy on the DMS.

Example: Create a Policy That Defines a Variable

In this example, the following policy defines a variable named jboss_home that has a value of /opt/jboss, and creates a rule that authorizes user Mark to access any resource in the /opt directory that accesses through JBoss.

editres ACVAR ("jboss_home") value("/opt/jboss")
authorize FILE /opt/* uid(Mark) access(all) via(pgm("<!jboss_home>/jboss"))

When the endpoint compiles the policy, it creates the following rule:

authorize FILE /opt/* uid(Mark) access(all) via(pgm(/opt/jboss/jboss))

Example: Create a Policy That Defines Multiple Variable Values

The following policy defines a variable named jboss_home that has a value of C:\JBoss, adds the C:\Program Files\JBoss value to the jboss_home variable, and creates an access rule:

editres ACVAR ("jboss_home") value("C:\JBoss")
editres ACVAR ("jboss_home") value+("C:\Program Files\JBoss")
editres FILE ("<!jboss_home>\bin") defacc(none) audit(a)

When the endpoint compiles the policy, it creates the following rules:

editres FILE ("C:\JBoss\bin") defacc(none) audit(a)
editres FILE ("C:\Program Files\JBoss\bin") defacc(none) audit(a)

Example: Use Variables to Deploy the Same Policy to Windows and UNIX Endpoints

The following example explains how you can use variables to deploy the same JBoss policy to Windows and UNIX endpoints, despite the different JBoss installation location on each operating system. This example defines two jboss_home variables that define the JBoss installation location for each operating system:

  1. Define two jboss_home variables that define the JBoss installation location for each operating system.
  2. Create a policy that uses the jboss_home variable to protect the JBoss installation location, and deploy the policy to Windows and UNIX endpoints:
    editres FILE "<!jboss_home>" defacc(none) audit(all)