On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote: > Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux. > > My first draft is this, by the way, and it's "working", so managers are off my back. > > ai.te: > > policy_module(ai,0.0.1) > > type ai_initrc_exec_t; > init_script_type(ai_initrc_exec_t); > > type ai_exec_t; > userdom_executable_file(ai_exec_t); > > unconfined_alias_domain(ai_t); I don't think you want an alias (i.e. two names for the same domain) but rather another domain that is unconfined as well. Use unconfined_domain(). > init_daemon_domain(ai_t,ai_exec_t) > > type ai_log_t; > logging_log_file(ai_log_t) > > manage_dirs_pattern(ai_t,ai_log_t,ai_log_t) > manage_files_pattern(ai_t,ai_log_t,ai_log_t) > > ai.fc: > > /etc/rc\.d/init\.d/ai -- gen_context(system_u:object_r:ai_initrc_exec_t,s0) > /usr/r/bin/aiadmin -- gen_context(system_u:object_r:ai_initrc_exec_t,s0) > /usr/r/bin/aiclient -- gen_context(system_u:object_r:ai_exec_t,s0) > /usr/r/bin/aiagent -- gen_context(system_u:object_r:ai_exec_t,s0) > /usr/r/logs(/.*)? gen_context(system_u:object_r:ai_log_t,s0) > > I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only. > > The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all. There used to be a /usr/share/doc/selinux-policy* directory that had the HTML documentation for the policy - not sure where that is now in F10. Latest interface docs are also online, http://oss.tresys.com/docs/refpolicy/api/ Interesting question about auditallow; you might need a script to generate the right set, maybe derived from audit2allow/sepolgen innards. Watch out though - auditallow'ing everything will flood your system with too many audit messages. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
