On Saturday 04 December 2010 16:57:10 Dominick Grift wrote: > Such a domain transition would look like this: > > domtrans_pattern(unconfined_t, touch_exec_t, touch_t) > > That is a simple example. With user applications like touch in our > example is, i prefer to use role prefixes to let selinux know who runs > touch. So that "touch policy" can be defined for particular roles. > > e.g. "touch policy" for the user_r role differs from "touch policy" for > unconfined_r: > > domtrans_pattern(unconfined_t, touch_exec_t, unconfined_touch_t) > > vs. > > domtrans_pattern(user_t, touch_exec_t, user_touch_t) > > Then you can do: > > filetrans_pattern(unconfined_touch_t, etc_t, net_conf_t, file) > > vs. > > filetrans_pattern(user_touch_t, etc_t, etc_runtime_t, file > > e.g. when unconfined_t runs touch_exec_t and domain transitions to > unconfined_touch_t, then unconfined_touch_t creates files in etc_t > directories with a file transition to net_conf_t, whereas user_touch_t > creates files in etc_t directories with a file transition to etc_runtime_t. Thanks Dominick for the excellent explanation. I've been using SELinux for a while but never gave transitions too much thought. Your explanation and examples are very clear and very helpful - very much appreciated! All the best, Jorge -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
