On 08/29/2010 01:45 PM, Mr Dash Four wrote:
>
>> its a fifo_file on device pipefs with name/path: pipe:[11951]
>>
>> This type of internal communication is very common. We use the following
>> policy for this:
>>
>> allow voip_sandbox_t self:fifo_file rw_fifo_file_perms;
>>
> Is 'rw_fifo_file_perms' custom-defined somewhere?
>
> All I can see on the fifo_file is { append create execute getattr ioctl
> link lock mounton quotaon read relabelfrom relabelto rename setattr
> swapon unlink write }, of which, 'read' and 'write' are the relevant
> ones. If I do 'allow voip_sandbox_t self:fifo_file { read write }' would
> that be the same thing or am I missing something?
>
http://oss.tresys.com/projects/refpolicy/browser/policy/support/obj_perm_sets.spt
line 241:
define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
Basically a set of common permissions to read and write fifo files. Not
quite the same as just { read write } but not too excessive either.
I always use "macros" where ever possible that will make policy
maintenance much easier.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
