> I think we need to maybe stop marking
> certain defined
> domains as exec_type. To prevent all users from being able to execute
> the application
> without a transition.
If you want to prevent all users from being able to execute the app
w/out a transition, then disable_trans to false, and that should
suffice, shouldn't it?
> Even in your example I disable-trans for games
> and then accidentally
> run some game as sysadm, bad things can happen.
So what you really want is to always transition for sysadm,
regardless of what disable_trans is set to.
if (! disable_games_trans) {
domain_auto_trans($1_t, games_exec_t, $1_games_t)
}
ifelse($1, sysadm, `
domain_auto_trans(sysadm_t, games_exec_t, sysadm_games_t)
')
--
Ivan Gyurdiev <ivg2@xxxxxxxxxxx>
Cornell University
