"sandbox ls /usr"
drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr
[1] allow sandbox_domain default_t : file { ioctl read write getattr lock append } ; # sandbox_t is allow to read write to file having type as default_t, but it doesnt allow to open it..so whats the significance of {read write}
[2] allow domain usr_t : dir { ioctl read getattr lock search open }
Does the above stuff make sense from logical point of view and should fixed ?
Initially
i thought that i will just disallow what i dont want...but know i have
realised that selinux is denial by default model and we can only allow
stuff.
>>yum list installed | grep selinux
libselinux.x86_64 2.2.2-6.el7
libselinux-python.x86_64 2.2.2-6.el7
libselinux-utils.x86_64 2.2.2-6.el7
selinux-policy.noarch 3.12.1-153.el7_0.13
selinux-policy-devel.noarch 3.12.1-153.el7_0.13
selinux-policy-sandbox.noarch 3.12.1-153.el7_0.13
selinux-policy-targeted.noarch 3.12.1-153.el7_0.13
>> yum list installed | grep sandbox
selinux-policy-sandbox.noarch 3.12.1-153.el7_0.13
Thanks
On Tue, Jan 20, 2015 at 2:36 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
What do you want to Disallow?
On 01/18/2015 06:34 AM, Bhuvan Gupta wrote:
Hello,
"Audit2allow" can add rule to allow some operation.But let say we want to disallow some operation which is allowed by some policy module. let say open operation on some files.
Is there a easy way to achieve that ?
Or i do have to:[1] get the policy source.[2] edit it accordingly[3] build and reinstall the policy.
ThanksBhuvan
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
