yiruli@xxxxxxxxxxxxxxxx wrote: > Hi, > I am practising to write a policy for a music player called soundjuicer. > > Policy Tool I used: selinux-polgengui > > The beginning part of soundjuicer1.te is as follows: > ---------------------------------------------------- > type soundjuicer1_t; > type soundjuicer1_exec_t; > application_domain(soundjuicer1_t, soundjuicer1_exec_t) > role user_r types soundjuicer1_t; > ..... > ------------------------------------------------------- > > The context of login id is (id -Z): > user_u:user_r:user_t > > I loaded the module. And then I run the music player both from terminal > and GUI. I checked the context of the soundjuicer process. > The context of the process is : user_u:user_r:user_t > > Question: > With the context for the process, user_u:user_r:user_t, can I say that > the security policy for the program is not being enforced, because of > the failure of domain transition? > > Should the context of the process be: user_u:user_r:soundjuicer1_t? > > thanks > Yiru Li > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You need to write a rule like gen_require(` type user_t; role user_r; type user_tty_device_t, user_devpts_t; ') soundjuicer1_run(user_t, user_r, { user_tty_device_t user_devpts_t }) -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
