> writing policy requires testing. i usually do my testing in permissive > mode or with permissive domains. > > basically in my initial policy i declare type for know object and > subjects, i make the types usable. Then i add file context > specifications so that the objects are labelled properly. in my initial > policy i also define the domain transitions. > > Then i usually test in permissive mode. collect as many AVC denials as i > can and then translate them into human readable policy and extend the > policy module, rebuild, reload and start over again, test, collect, > extend, build, install etc. > Good idea that - switching to permissive mode - as obvious as it might be, I never thought of that before. Noted! As for the policy, I haven't yet defined all port interactions yet - needed to see whether the local binding with mysql would work first before I plunge myself and do the rest. I also wish to introduce the restriction for this program to operate on 2 different net interfaces (with the appropriate port rules for each!), so I haven't got that far yet. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
