Daniel J Walsh wrote: > Tom London wrote: >> [root@localhost ~]# ps agxZ | grep initrc_t >> system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local >> system_u:system_r:initrc_t 3174 ? Ss 0:00 >> NetworkManagerDispatcher >> --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid >> system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t >> [root@localhost ~]# >> >> So, nasd and Network run in initrc_t. >> >> Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)? > Yes anyone out there looking to get their feet wet in writing policy, > this is probably a good one to start on. i don't know whether tom has worked on this. if not, i will try, but i am not familiar with network audio system :-) > > Try out system-config-selinux, go to modules tab and select new. > Comments welcome. I plan on writing up a > tutorial on this, soon. >> >> What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t, >> other?)? >> > This really needs a different interface also. And the scripts need to > be labeled. One problem with this is > these scripts could do anything so writing a policy to do this > dispatcher would need to be able to transition > to lots of domains. Maybe add an interface to it so, it like apache can > run scripts in different contexts. > > But we would have to ship an NetworkManager_unconfined_script_exec_t, > for the default. >> tom > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
