Hi all, I have started playing with new SE Linux. I have it already running. BTW minor question: There are messages in log that /sbin/unix_verify is denied to do something. System is seemed to work well. Because /sbin/unix_verify is from libpam-modules I'm not sure what to do - ignore or add some rules to policy for /sbin/unix_verify. I can run user-mode-linux from my shell but I need to run UML when main system boots. UML should generaly run via nohup program in background mode. My main question is how to that. I'm generally looking for good solution from security point of view and relatively easy to do. I have thought about: 1) Leave UML running in initrc_t domain - now I have but it is bad. Isn't it? 2) Create special domain - is impossible for me yet. 3) Extend rights for existing domains. 4) Run UML via runcon program in init.d script in the same context like when run from shell. 3) and 4) are similar somehow but 4) seems to be easier to do. I can modify policy adding 'allow' rules but I'm not sure if it is right way in this case. I haven't found a document like, let's say, 'general advices' containing advices like: 'what can be do safely', 'what should be avoided', 'if you do ... remember about ...', 'be careful if you want ...', 'if you allow ... you week policy seriously'. I have feeling that SE Linux policy has its own deep philosophy so I'm afraid to make deeper changes in policy and not to break policy seriously. Any advices, helps or comments are welcome. Best regards, Chris
