Create new types in modules?
Stephen Smalley
sds at tycho.nsa.gov
Thu Apr 13 12:20:21 UTC 2006
On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote:
> > So, my idea was to define everything under my chroot as a new type,
> > mock_root_t, and then have a module like this:
> >
> > module mock 0.2;
> >
> > require {
> > class file execmod;
> >
> > type unconfined_t;
> > type mock_root_t;
> > };
>
> Move the mock_root_t type decl outside of the requires block.
Oh, and you should really do it like this (similar to my prior
discussion about creating a policy module for the samba issue):
$ mkdir mock
$ cd mock
$ vi mock.te
i(nsert)
policy_module(mock, 0.2)
require {
type unconfined_t;
};
type mock_root_t;
files_type(mock_root_t) # allow this type to be used for files
allow unconfined_t mock_root_t:file execmod;
:wq
$ touch mock.if mock.fc
$ make -f /usr/share/selinux/devel/Makefile
$ su
# semodule -i mock.pp
Chad and Dan, can we get this kind of example (and/or the prior one I
created for the samba issue) added to the FAQ? Otherwise, people don't
have good examples to follow.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list