example of a domain with transition policy
Vadym Chepkov
chepkov at yahoo.com
Thu Jan 29 21:29:45 UTC 2009
Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux.
My first draft is this, by the way, and it's "working", so managers are off my back.
ai.te:
policy_module(ai,0.0.1)
type ai_initrc_exec_t;
init_script_type(ai_initrc_exec_t);
type ai_exec_t;
userdom_executable_file(ai_exec_t);
unconfined_alias_domain(ai_t);
init_daemon_domain(ai_t,ai_exec_t)
type ai_log_t;
logging_log_file(ai_log_t)
manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
manage_files_pattern(ai_t,ai_log_t,ai_log_t)
ai.fc:
/etc/rc\.d/init\.d/ai -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiadmin -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiclient -- gen_context(system_u:object_r:ai_exec_t,s0)
/usr/r/bin/aiagent -- gen_context(system_u:object_r:ai_exec_t,s0)
/usr/r/logs(/.*)? gen_context(system_u:object_r:ai_log_t,s0)
I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only.
The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all.
Sincerely yours,
Vadym Chepkov
More information about the fedora-selinux-list
mailing list