[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: example of a domain with transition policy
- From: Stephen Smalley <sds tycho nsa gov>
- To: Vadym Chepkov <chepkov yahoo com>
- Cc: Daniel J Walsh <dwalsh redhat com>, fedora-selinux-list redhat com
- Subject: Re: example of a domain with transition policy
- Date: Fri, 30 Jan 2009 07:50:12 -0500
On Thu, 2009-01-29 at 14:43 -0800, Vadym Chepkov wrote:
> > I don't think you want an alias (i.e. two names for the
> > same domain) but
> > rather another domain that is unconfined as well. Use
> > unconfined_domain().
>
> sshd_t is defined this way in Redhat policy, I learn from the masters :)
>
> $ cd /home/vvc/rpmbuild/BUILD/serefpolicy-2.4.6/policy/modules/services
> $ grep sshd_t ssh.te |grep domain
> unconfined_alias_domain(sshd_t)
> init_system_domain(sshd_t,sshd_exec_t)
That has changed in newer policies. But regardless, if you want to be
able to see allows/denies on ai_t, you can't make it an alias - it needs
to be its own distinct type. Aliases are just turned into the same
underlying type internally, so they will still show up as unconfined_t
in audit messages and ps -Z output.
> >
> > Interesting question about auditallow; you might need a
> > script to
> > generate the right set, maybe derived from
> > audit2allow/sepolgen innards.
> > Watch out though - auditallow'ing everything will flood
> > your system with
> > too many audit messages.
>
> Exactly, I want to avoid it.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]