-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Torbjørn Lindahl wrote: > Hello, I am writing an application that I want to limit using selinux. > > audit.log shows that it wants access to /etc/nsswitch.conf and /etc/hosts - > which doesn't seem to unreasonable, however both these have types etc_t , > and allowing myapp_t to read etc_t would also give it access to for example > /etc/passwd, which i do not want. > > > Do I have to invent a new type for these two files to be able to keep my > application from the other etc_t files in /etc ? > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes you can, but the more different file_context that you have in /etc, the harder they will be to maintain. Reading /etc/passwd is not as dangerous as being able to read /etc/shadow. So consider if this is really necessary. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG7uxvrlYvE4MpobMRAk+5AJ9UZPJZq++LfpMZMRyF62bvWCOTqQCgsdly +DO1I81MDsGkD0L3p3RiV/4= =WV5q -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
