hello everyone:
I'm now studying selinux policy on fedora 10 . I wrote a policy module like this:
myapp.if
## <summary>this si to constraint gedit</summary>
myapp.te
policy_module(myapp,1.0.0)
policy_module(myapp,1.0.0)
type myapp_t;
# Access to shared libraries
libs_use_ld_so(myapp_t)
libs_use_shared_libs(myapp_t)
# Access to shared libraries
libs_use_ld_so(myapp_t)
libs_use_shared_libs(myapp_t)
miscfiles_read_localization(myapp_t)
type myapp_exec_t;
type myapp_rw_t;
files_type(myapp_exec_t)
files_type(myapp_rw_t)
init_domain(myapp_t,myapp_exec_t)
allow myapp_t myapp_rw_t :file ~{write};
type myapp_exec_t;
type myapp_rw_t;
files_type(myapp_exec_t)
files_type(myapp_rw_t)
init_domain(myapp_t,myapp_exec_t)
allow myapp_t myapp_rw_t :file ~{write};
myapp.fc
/usr/bin/gedit -- gen_context(system_u:object_r:myapp_exec_t,s0)
/root/share/a/as -- gen_context(system_u:object_r:myapp_rw_t,s0)
/root/share/a/as -- gen_context(system_u:object_r:myapp_rw_t,s0)
Then i compiled it and it created myapp.pp with no error.
And then i used the command that semodule -i myapp.pp and it succeeded
Then i relabeled the files by using the restorecon command and reboot .
But after it reboot ,the /usr/bin/gedit still ran on the unconfined_t domain.
why?
穿越地震带 纪念汶川地震一周年
