On Mon, 2005-12-19 at 23:16 -0600, Benjamin Youngdahl wrote: > I have a question on locking down an application under the targeted > policy. > > The policy module I've tried is below. I can see that the process has > the appropriate type in "ps -Z".: > > root:system_r:bentest_t:SystemLow-SystemHigh 13127 pts/1 00:00:00 > bentest > > But it still appears to have all the power of "unconfined_t". I did > to a "restorecon -RF", and the files are appropriately labeled. What makes you say it has all the power of unconfined_t? > Is it possible for an app to confine "unconfined_t", or should I be > switching over to the replacement for the strict policy? (I think it > is just called "mls" at this point, which is a confusing name > considering that targeted itself is an "mls" it seems.) You should be able to confine a particular application under targeted policy, just by putting it into its own domain, as you seem to be doing. No need to switch to strict policy for that. MLS has a specific meaning, not relevant here. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
