Re: example of a domain with transition policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I don't see how the policy that you have pasted below could possibly
work because you did not even declare a domain type (type ai_t;)

Also there are a bunch of syntax errors there.

If you would have visited us on IRC, than chances are that you would
have a workable policy by now. 


On Thu, 2009-01-29 at 22:44 +0100, Dominick Grift wrote:
> The source policy has all the info and documentation / examples you
> need. Eclipse-slide provides easy access.
> 
> 
> On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote:
> > Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux.
> > 
> > My first draft is this, by the way, and it's "working", so managers are off my back.
> > 
> > ai.te:
> > 
> > policy_module(ai,0.0.1)
> > 
> > type ai_initrc_exec_t;
> > init_script_type(ai_initrc_exec_t);
> > 
> > type ai_exec_t;
> > userdom_executable_file(ai_exec_t);
> > 
> > unconfined_alias_domain(ai_t);
> > 
> > init_daemon_domain(ai_t,ai_exec_t)
> > 
> > type ai_log_t;
> > logging_log_file(ai_log_t)
> > 
> > manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
> > manage_files_pattern(ai_t,ai_log_t,ai_log_t)
> > 
> > ai.fc:
> > 
> > /etc/rc\.d/init\.d/ai   --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> > /usr/r/bin/aiadmin      --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> > /usr/r/bin/aiclient     --      gen_context(system_u:object_r:ai_exec_t,s0)
> > /usr/r/bin/aiagent      --      gen_context(system_u:object_r:ai_exec_t,s0)
> > /usr/r/logs(/.*)?               gen_context(system_u:object_r:ai_log_t,s0)
> > 
> > I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only.
> > 
> > The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all.
> > 
> > 
> > Sincerely yours,
> >   Vadym Chepkov
> >

Attachment: signature.asc
Description: This is a digitally signed message part

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux