Re: how to transition a daemon to its own domain

jiun bookworm <thebookworm101@xxxxxxxxx> · Sun, 19 Jan 2014 09:19:38 +0300

Thanks for that, 
infortunately im still not there yet,  
now the application runs in  initrc_t  (it  was  remaining in init_t)
this is how the policy looks like  (from your  and bigons advice):

########################################
#
# Declarations
#
require {
        type init_t;
}

type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)

######################

########################################
#
# myapp local policy
#
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(myapp_t)

#files_read_etc_files(myapp_t)

#miscfiles_read_localization(myapp_t)

i also tried to move the app to a more standard location,  as well as labelled the python intepreter's parent directory

as bin_t  (its in a virtualenv),  im not sure what else to try, 
if you have any more clues let me know

On Sat, Jan 18, 2014 at 10:15 PM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote:

On Fri, 2014-01-17 at 10:39 +0300, jiun bookworm wrote:

> I have been attempting to get my app to transition to a different

> domain unsuccessfully,

>

> init_daemon_domain(myapp_t, myapp_unit_file_t);

The transition does not go on myapp_unit_file_t instead it goes on

myapp_exec_t

> type myapp_exec_t;

> files_type(myapp_exec_t);

So something like this to get started:

type myapp_t;

type myapp_exec_t;

init_daemon_domain(myapp_t, myapp_exec_t)

As for the unit file, not sure off the top of my head but something like

this:

type myapp_unit_file_t;

systemd_unit_file(systemd_unit_file_t)

The unit file does not get executed, just read. So the transition cant

go on that file

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux