Tom London wrote:
Yes anyone out there looking to get their feet wet in writing policy, this is probably a good one to start on.[root localhost ~]# ps agxZ | grep initrc_t system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local system_u:system_r:initrc_t 3174 ? Ss 0:00 NetworkManagerDispatcher --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t [root localhost ~]# So, nasd and Network run in initrc_t. Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)?
Try out system-config-selinux, go to modules tab and select new. Comments welcome. I plan on writing up a
tutorial on this, soon.
This really needs a different interface also. And the scripts need to be labeled. One problem with this is these scripts could do anything so writing a policy to do this dispatcher would need to be able to transition to lots of domains. Maybe add an interface to it so, it like apache can run scripts in different contexts.What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t, other?)?
But we would have to ship an NetworkManager_unconfined_script_exec_t, for the default.
tom