On Saturday 04 December 2010 16:41:39 Dominick Grift wrote:
> So you could define a file type transition:
>
> if unconfined_t creates a file in directories with type etc_t, then
> transition from type etc_t to some specified type (net_conf_t in your
> example)
>
> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)
Hello again!
I would like to try this out (files created with unconfined_t, under /etc/, to
have a label of net_conf_t). My only experience with inserting custom-policy
modules is with the "allow rules" suggested by audit2allow. Other than that I
have never done anything else policy-wise so bear with me :)
I tried this:
------------------------------ cut here ---------------------------
module localtran 1.0;
require {
type unconfined_t;
type etc_t;
type net_conf_t;
class file {write};
}
filetrans_pattern(unconfined_t, etc_t, net_conf_t, file);
------------------------------ cut here ---------------------------
and then tried "checmodule -M -m localtran.te -o localtran.pp" but I get
syntax errors with token "filetrans_pattern". I did some googling and noticed
the use of "files_type" and "manage_files" before filetrans_pattern (tried it but
didn't work). I'm not sure if I need those and also the class directive.
I would like to try this first and eventually get more sophisticated with your
other suggestions.. Of course, this is just for learning purposes (not that I
need unconfined_t to create files in /etc with net_conf_t ).
Regards,
Jorge
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
