constraining an app in targeted policy
Benjamin Youngdahl
ben.youngdahl at gmail.com
Tue Dec 20 05:16:47 UTC 2005
I have a question on locking down an application under the targeted policy.
The policy module I've tried is below. I can see that the process has the
appropriate type in "ps -Z".:
root:system_r:bentest_t:SystemLow-SystemHigh 13127 pts/1 00:00:00 bentest
But it still appears to have all the power of "unconfined_t". I did to a
"restorecon -RF", and the files are appropriately labeled.
Is it possible for an app to confine "unconfined_t", or should I be
switching over to the replacement for the strict policy? (I think it is
just called "mls" at this point, which is a confusing name considering that
targeted itself is an "mls" it seems.)
If I do need to switch to "selinux-policy-mls", is that policy ready for
prime time?
Apologies in advance if I'm way off base in my understanding.
Thanks !
Ben
-------------
policy_module(bentest,1.0.4)
########################################
#
# Declarations
#
# Private type declarations
type bentest_t;
domain_type(bentest_t)
domain_auto_trans(unconfined_t,bentest_exec_t,bentest_t)
role system_r types bentest_t;
type bentest_exec_t;
domain_entry_file(bentest_t,bentest_exec_t)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20051219/f8836cb5/attachment.htm>
More information about the fedora-selinux-list
mailing list