Agent-Skills.md

Agent Skills: SELinux Knowledge Patch

SELinux changes since training cutoff (latest: 0.1.0) — CIL policy language, udica container policies, allowxperm netlink filtering, default object rules. Load before working with SELinux.

UncategorizedID: nevaberry/nevaberry-plugins/selinux-knowledge-patch

Repository

nevaberry/nevaberry-plugins
NevaberryLicense: MIT
15

Install this agent skill to your local

pnpm dlx add-skill https://github.com/Nevaberry/nevaberry-plugins/tree/HEAD/plugins/selinux-knowledge-patch/skills/selinux-knowledge-patch

Skill Files

Browse the full folder contents for selinux-knowledge-patch.

Download Skill

Loading file tree…

plugins/selinux-knowledge-patch/skills/selinux-knowledge-patch/SKILL.md

Skill Metadata

Name
selinux-knowledge-patch
Description
"SELinux changes since training cutoff (latest: 0.1.0) — CIL policy language, udica container policies, allowxperm netlink filtering, default object rules. Load before working with SELinux."

SELinux Knowledge Patch

Covers SELinux policy development features added after Claude's training cutoff.

Baseline knowledge: SELinux modes (enforcing/permissive/disabled), security contexts (user:role:type:level), booleans (setsebool/getsebool), basic policy management (semanage, semodule, restorecon), and audit2allow.

Quick Reference: CIL vs Kernel Policy Language

CIL (Common Intermediate Language) replaces M4-based .te/.if/.fc policy modules with S-expression syntax:

| Kernel Policy | CIL Equivalent | Notes | |---|---|---| | attribute | typeattribute | Declares a type attribute | | typeattribute | typeattributeset | Assigns types to an attribute | | attribute_role | roleattribute | Declares a role attribute | | allow | allow | Same syntax, S-expression form | | module / require | block / blockinherit | Namespacing replaces module system |

CIL eliminates M4 macro dependency and module load-ordering requirements.

CIL Policy Basics

CIL uses (block ...) for namespacing — all declarations inside a block are scoped:

(block myapp
    (type process)
    (type data)
    (role app_r)
    (roletype app_r process)
    (allow process data (file (read write open getattr)))
)

Types are referenced across blocks as blockname.typename (e.g., myapp.process).

Block Inheritance

Blocks can inherit from other blocks, replacing the M4 template/interface pattern:

(block base_app
    (type process)
    (type data)
)

(block webapp
    (blockinherit base_app)
    ;; webapp.process and webapp.data now exist
    (allow process data (file (read write)))
)

Access Rule Syntax

CIL access rules group permissions by object class in S-expressions:

;; Single class, multiple permissions
(allow src_t tgt_t (file (read write open getattr)))

;; Multiple classes in one rule
(allow src_t tgt_t (file (read write)) (dir (search getattr)))

Loading CIL Modules

Compile and load CIL policies directly with semodule — no .pp compilation step:

semodule -i myapp.cil
semodule -r myapp        # remove

See references/cil-policy.md for full CIL syntax details and examples.

udica: Container Policy Generator

Generate tailored SELinux policies for containers from their runtime inspection data:

# Inspect running container → generate CIL policy
podman inspect <container_id> | udica my_policy

# Install policy with required template modules
semodule -i my_policy.cil \
    /usr/share/udica/templates/{base_container.cil,net_container.cil,home_container.cil}

# Run container with the custom policy
podman run --security-opt label=type:my_policy.process ...

udica parses container JSON for capabilities, mount points, and ports, then combines appropriate CIL template blocks. Works with Podman and Docker.

See references/container-policy.md for template selection and advanced usage.

Kernel Policy Extensions

allowxperm Netlink Message Filtering (kernel >= 6.13)

Extended permissions now support netlink message type filtering. Requires enabling the netlink_xperm policycap:

(policycap netlink_xperm)

Grant base nlmsg permission, then filter by message type hex value:

allow src_t tgt_t : netlink_route_socket nlmsg;
allowxperm src_t tgt_t : netlink_route_socket nlmsg { 0x12 };

Supported socket classes:

| Socket Class | Use Case | |---|---| | netlink_route_socket | Route, link, address management | | netlink_tcpdiag_socket | TCP diagnostic queries | | netlink_xfrm_socket | IPsec/XFRM policy and state | | netlink_audit_socket | Audit subsystem control |

Default Object Rules (policy version 27+)

Control which context field (source or target) provides user/role/type/range for newly created objects:

default_user file target;
default_role file source;
default_type file source;
default_range file target low;

The low, high, or low_high qualifier on default_range controls which part of the MLS range is used. Applies to file, dir, lnk_file, chr_file, blk_file, sock_file, fifo_file and other object classes that undergo labeling transitions.

See references/kernel-policy-extensions.md for detailed semantics and range qualifier reference.

Reference Files

| File | Contents | |---|---| | cil-policy.md | CIL syntax, blocks, inheritance, type/role declarations, access rules | | container-policy.md | udica container policy generation, templates, Podman/Docker workflow | | kernel-policy-extensions.md | allowxperm nlmsg rules, default object rules, policycap requirements |