Re: example of a domain with transition policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2009-01-29 at 14:43 -0800, Vadym Chepkov wrote:
> > I don't think you want an alias (i.e. two names for the
> > same domain) but
> > rather another domain that is unconfined as well.  Use
> > unconfined_domain().
> 
> sshd_t is defined this way in Redhat policy, I learn from the masters :)
> 
> $ cd /home/vvc/rpmbuild/BUILD/serefpolicy-2.4.6/policy/modules/services
> $ grep sshd_t ssh.te |grep domain
>         unconfined_alias_domain(sshd_t)
>         init_system_domain(sshd_t,sshd_exec_t)

That has changed in newer policies.  But regardless, if you want to be
able to see allows/denies on ai_t, you can't make it an alias - it needs
to be its own distinct type.  Aliases are just turned into the same
underlying type internally, so they will still show up as unconfined_t
in audit messages and ps -Z output.

> > 
> > Interesting question about auditallow; you might need a
> > script to
> > generate the right set, maybe derived from
> > audit2allow/sepolgen innards.
> > Watch out though - auditallow'ing everything will flood
> > your system with
> > too many audit messages.
> 
> Exactly, I want to avoid it.
-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux