Tom London wrote:
[root@localhost ~]# ps agxZ | grep initrc_t
system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local
system_u:system_r:initrc_t 3174 ? Ss 0:00
NetworkManagerDispatcher
--pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t
[root@localhost ~]#
So, nasd and Network run in initrc_t.
Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)?
Yes anyone out there looking to get their feet wet in writing policy,
this is probably a good one to start on.
Try out system-config-selinux, go to modules tab and select new.
Comments welcome. I plan on writing up a
tutorial on this, soon.
What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t,
other?)?
This really needs a different interface also. And the scripts need to
be labeled. One problem with this is
these scripts could do anything so writing a policy to do this
dispatcher would need to be able to transition
to lots of domains. Maybe add an interface to it so, it like apache can
run scripts in different contexts.
But we would have to ship an NetworkManager_unconfined_script_exec_t,
for the default.
tom
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
