[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: example of a domain with transition policy

From: Vadym Chepkov <chepkov yahoo com>
To: domg472 gmail com
Cc: fedora-selinux-list redhat com
Subject: Re: example of a domain with transition policy
Date: Thu, 29 Jan 2009 13:29:45 -0800 (PST)

Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux.

My first draft is this, by the way, and it's "working", so managers are off my back.

ai.te:

policy_module(ai,0.0.1)

type ai_initrc_exec_t;
init_script_type(ai_initrc_exec_t);

type ai_exec_t;
userdom_executable_file(ai_exec_t);

unconfined_alias_domain(ai_t);

init_daemon_domain(ai_t,ai_exec_t)

type ai_log_t;
logging_log_file(ai_log_t)

manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
manage_files_pattern(ai_t,ai_log_t,ai_log_t)

ai.fc:

/etc/rc\.d/init\.d/ai   --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiadmin      --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiclient     --      gen_context(system_u:object_r:ai_exec_t,s0)
/usr/r/bin/aiagent      --      gen_context(system_u:object_r:ai_exec_t,s0)
/usr/r/logs(/.*)?               gen_context(system_u:object_r:ai_log_t,s0)

I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only.

The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all.


Sincerely yours,
  Vadym Chepkov

Follow-Ups:
- Re: example of a domain with transition policy
  - From: Dominick Grift
- Re: example of a domain with transition policy
  - From: Stephen Smalley

References:
- Re: example of a domain with transition policy
  - From: Dominick Grift

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]