The policy module I've tried is below. I can see that the process has the appropriate type in "ps -Z".:
root:system_r:bentest_t:SystemLow-SystemHigh 13127 pts/1 00:00:00 bentest
But it still appears to have all the power of "unconfined_t". I did to a "restorecon -RF", and the files are appropriately labeled.
Is it possible for an app to confine "unconfined_t", or should I be switching over to the replacement for the strict policy? (I think it is just called "mls" at this point, which is a confusing name considering that targeted itself is an "mls" it seems.)
If I do need to switch to "selinux-policy-mls", is that policy ready for prime time?
Apologies in advance if I'm way off base in my understanding.
Thanks !
Ben
-------------
policy_module(bentest,1.0.4)
########################################
#
# Declarations
#
# Private type declarations
type bentest_t;
domain_type(bentest_t)
domain_auto_trans(unconfined_t,bentest_exec_t,bentest_t)
role system_r types bentest_t;
type bentest_exec_t;
domain_entry_file(bentest_t,bentest_exec_t)
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
