-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Torbjørn Lindahl wrote: > I see. In that case I am not going to push this topic much further. Thanks > for your assistance! > > But wouldn't it be nice to have an allow mechanism in SELinux in which I > could grant access based on it's existing access. What I want to achieve is > to be able to add a rule like "If process can read etc_t, then it can also > read etc_foo_t" > > That would allow me to change context of individual files, and grant access > to them by process who already have etc_t, and I wouldn't have to redefine > almost the entire selinux context tree just to target a few individual files > in /etc for my app. > > T. > > On 9/18/07, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > Torbjørn Lindahl wrote: >>>> Good point. >>>> I probably can live with that. >>>> >>>> Still I am not sure if I would like it to have full access to all files >>>> labelled etc_t . It would be nice to be able to single out only a few of >>>> them. Perhaps I should look at something other than the targeted policy. >>>> >>>> On 9/17/07, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >>>> Torbjørn Lindahl wrote: >>>>>>> Hello, I am writing an application that I want to limit using > selinux. >>>>>>> audit.log shows that it wants access to /etc/nsswitch.conf and >>>> /etc/hosts - >>>>>>> which doesn't seem to unreasonable, however both these have types > etc_t >>>> , >>>>>>> and allowing myapp_t to read etc_t would also give it access to for >>>> example >>>>>>> /etc/passwd, which i do not want. >>>>>>> >>>>>>> >>>>>>> Do I have to invent a new type for these two files to be able to keep > my >>>>>>> application from the other etc_t files in /etc ? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> > ------------------------------------------------------------------------ >>>>>>> -- >>>>>>> fedora-selinux-list mailing list >>>>>>> fedora-selinux-list@xxxxxxxxxx >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> Yes you can, but the more different file_context that you have in /etc, >>>> the harder they will be to maintain. >>>> >>>> Reading /etc/passwd is not as dangerous as being able to read >>>> /etc/shadow. So consider if this is really necessary. >>>> ------------------------------------------------------------------------ >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list@xxxxxxxxxx >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > All of the current policies including mls allow reading of etc_t for > most domains, and /etc/passwd is labeled etc_t. >> > ------------------------------------------------------------------------ > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list We could do something like this with attributes. If you created an attribute of etc_filetype Then gave etc_t this attribute, change the interfaces that say files_read_etc_files() to use the attribute instead of the file. Now when you create new file types, you could define them as etc_filetype. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG88X1rlYvE4MpobMRAh/8AJ9uoVJrZiiC+tTtTxvbbShtBA0cgACgu/uq cE+Qw2lNiysCa+OBX1+prVk= =MjEE -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
