Previous Topic: Where Are Sample Policies Stored?Next Topic: Compliance and Best Practice Policies


Sample Policy Scripts

Each policy is a selang script that includes comments that explain the policy's purpose and the rules it contains. Sample policy scripts are written to demonstrate best practices:

Example: Policy Script Comments

The following snippet from the Solaris SPARC 9 sample policy illustrates how sample policies are annotated. Using selang syntax rules, the lines that begin with a hash symbol (#) are comments.

#
# * Home Directories Protection Policy *
# **************************************
#
# This policy uses the FILE class to protect the home
# directories of sensitive users so that only the owner
# of each directory can access it.
#
# Prerequisites:
#     None
#
# Roles:
#     None
#
# Containers:
#     POL_HOME_DIR      - home directories of sensitive users
#
# define container POL_HOME_DIR
# Protect home directories
editres   CONTAINER POL_HOME_DIR audit(<!POLICY_AUDIT_MODE>) owner(+nobody) comment("AC Sample - Protect home directories")
authorize CONTAINER POL_HOME_DIR uid(* _undefined)   access(NONE)
editres ACVAR ("HOME_OS_ADMIN") value("/root") type(static)
editusr (<!USER_OS_ADMIN>)
# define specific FILE resources and connect them with POL_HOME_DIR
editres FILE ("<!HOME_OS_ADMIN>/*") audit(<!POLICY_AUDIT_MODE>) owner(+nobody) defaccess(NONE) <!POLICY_WARNING_MODE>  comment("AC Sample")
authorize FILE ("<!HOME_OS_ADMIN>/*") uid(<!USER_OS_ADMIN>) access(ALL)
chres CONTAINER POL_HOME_DIR mem+("<!HOME_OS_ADMIN>/*") of_class(FILE)

Example: Containers in Sample Policies

The following selang output shows the properties of the POL_SYS_FILES. An AIX sample policy contains this sub-policy that protects system files.

AC> sr container POL_SYS_FILES
Data for CONTAINER 'POL_SYS_FILES'
------------------------------------------------------------------------
ACLs              :
    Accessor                Access
    ROL_SYSADMIN  (GROUP  ) All
    ROL_SYSTEM    (GROUP  ) All
    *             (USER   ) R, Chdir
    _undefined    (USER   ) R, Chdir
Members           :
    /boot/*       (FILE  )
    /dev/kmem     (FILE  )
    /dev/mem      (FILE  )
    /dev/port     (FILE  )
Audit mode        : Failure
Owner             : +nobody       (USER  )
Create time       : 10-Dec-2008 10:32
Update time       : 10-Dec-2008 10:35
Updated by        : root          (USER  )
Comment           : AC Sample - Protect OS system files

Example: Variables in Sample Policies

The following snippet from the Red Hat Enterprise Linux 5 sample policy illustrates how sample policies use variables. In this snippet, the sample policy defines possible names for the local host and the home directory of the administrative user root.

#
# * AC Variables Definitions *
# ****************************
#
# The rules in this section define variables that policies use.
# Variables:
#     LOCALHOST             : list of possible names for local host
#     POLICY_AUDIT_MODE     : set policies audit mode
#     POLICY_DEFACCESS      : set defaccess of policies` resources
#
editres ACVAR ("LOCALHOST") value("localhost") type(static)
editres ACVAR ("LOCALHOST") value+("127.0.0.1")
editres ACVAR ("LOCALHOST") value+("0.0.0.0")
editres ACVAR ("POLICY_AUDIT_MODE")   value("FAILURE") type(static)
editres ACVAR ("POLICY_DEFACCESS")    value("ALL")     type(static)

More information:

User-Defined Variables

Built-In Variables

Guidelines for Using Variables

How an Endpoint Resolves Variables