On Thu, 2009-01-29 at 14:43 -0800, Vadym Chepkov wrote: > > I don't think you want an alias (i.e. two names for the > > same domain) but > > rather another domain that is unconfined as well. Use > > unconfined_domain(). > > sshd_t is defined this way in Redhat policy, I learn from the masters :) > > $ cd /home/vvc/rpmbuild/BUILD/serefpolicy-2.4.6/policy/modules/services > $ grep sshd_t ssh.te |grep domain > unconfined_alias_domain(sshd_t) > init_system_domain(sshd_t,sshd_exec_t) That has changed in newer policies. But regardless, if you want to be able to see allows/denies on ai_t, you can't make it an alias - it needs to be its own distinct type. Aliases are just turned into the same underlying type internally, so they will still show up as unconfined_t in audit messages and ps -Z output. > > > > Interesting question about auditallow; you might need a > > script to > > generate the right set, maybe derived from > > audit2allow/sepolgen innards. > > Watch out though - auditallow'ing everything will flood > > your system with > > too many audit messages. > > Exactly, I want to avoid it. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
