hechao55429 wrote:
hello everyone:
I'm now studying selinux policy on fedora 10 . I wrote a policy
module like this:
myapp.if
## <summary>this si to constraint gedit</summary>
myapp.te
policy_module(myapp,1.0.0)
type myapp_t;
# Access to shared libraries
libs_use_ld_so(myapp_t)
libs_use_shared_libs(myapp_t)
miscfiles_read_localization(myapp_t)
type myapp_exec_t;
type myapp_rw_t;
files_type(myapp_exec_t)
files_type(myapp_rw_t)
init_domain(myapp_t,myapp_exec_t)
allow myapp_t myapp_rw_t :file ~{write};
myapp.fc
/usr/bin/gedit -- gen_context(system_u:object_r:myapp_exec_t,s0)
/root/share/a/as -- gen_context(system_u:object_r:myapp_rw_t,s0)
Then i compiled it and it created myapp.pp with no error.
And then i used the command that semodule -i myapp.pp and it succeeded
Then i relabeled the files by using the restorecon command and reboot .
But after it reboot ,the /usr/bin/gedit still ran on the unconfined_t
domain.
why?
you didn't specify a type transition from unconfined, you can do this in your
module using the unconfined_run_to() interface.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
