On 07/07/2016 07:46 PM, Göran Uddeborg wrote:
Hello,
It seems I have to use Teamviewer. I downloaded and installed it.
Now I'm trying to put together a policy module to make it run without
putting SELinux in permissive mode.
This program uses a daemon, and for this I've created a new domain:
type teamviewerd_t;
type teamviewerd_exec_t;
init_daemon_domain(teamviewerd_t, teamviewerd_exec_t)
/opt/teamviewer/tv_bin/teamviewerd -- gen_context(system_u:object_r:teamviewerd_exec_t,s0)
Then I started to add "allow" rules. Ausearch tells me I get an AVC
when "init_t" tries to use "execmem". I'm guessing this is because
the execmem test is done before the type transition happens.
Obviously, I don't want to allow init_t the execmem permission in
general. Is there some good way around this? My best idea so far is
to create a wrapper binary, give this wrapper the teamviewerd_exec_t
type, and let it do exec() on the real teamviewerd program. But it
feels a bit clumsy. Are there more direct ways to do it?
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Could you attach raw AVCs and source policy files?
Thank you.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
