On Thu, 2008-08-28 at 16:33 -0400, Hong wrote: > Is there any documentation I can refer to so I can see how the access > decision is made? Or where in the kernel source code above logic is > implement? > > Thanks! > Hello and welcome, There is a separate mailing list for (ref)policy. You can subscribe here: http://oss.tresys.com/mailman/listinfo/refpolicy You can browse policy source code here: http://oss.tresys.com/projects/refpolicy/browser/trunk I Think your explanation looks good. 1. cannot execute (access is denied by default) 2. can execute but not transition to new domain (run executable file in the caller domain) for example: if domain_type_6_t tries to execute application_executable_files_type_1_t then run that process in the domain_type_6_t domain 3. can execute and and transition to a predefined domain ( for example: if domain_type_1_t tries to executes application_executable_files_type_1_t then transition to domain_type_2_t You can easily test these with policy like can_exec() and domain_auto_trans() Another good resource for knowledge is the #selinux and #fedora-selinux irc channel on irc.freenode.org. if domain_type_3_t tries to execute application_executable_files_type_1_t then transition to domain_type_3_t -- Dominick Grift <domg472@xxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
