On Tue, 2006-11-28 at 19:36 +0100, Jimmy wrote: > Hi! > > Im trying to learn SELinux from bottom up, but having some fundamental > issues regarding the basics. > Im trying to load the mozilla.pp module in targeted, which works fine. I > set the correct contexts with restorecon on firefox-bin. But when i run > the binary it stills runs in unconfined_t when looking at running > processes (ps auxZ). > Ivé tried to compile it myself from different sources, and load it, but > get the same results all the time. Then i tried with netutils.pp and > discovered the same problem witrh ping. > > Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know > im making some really fundamental mistake somewhere, but i cant find out > what it is! If mozilla's domain was a "simple" domain, then mozilla.pp would just contain its definition, and you would still need to set up a transition from unconfined_t to mozilla's domain, likely by calling an interface defined by mozilla.if from unconfined.te. But mozilla's domain is templated for instantiation once per user role, and targeted policy has no notion of user roles or domains, mozilla.pp doesn't even contain the actual domain definition, just a few type declarations for file types used for mozilla - the real domain definition happens as a result of template expansion for each user role. In short, mozilla's policy was written for the strict policy. You'd have to do some work to instantiate it for unconfined in targeted and ensure that none of its assumptions are broken there, and your ability to limit what it can do will be severely constrained with targeted policy. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
