On Wed, 2010-05-19 at 20:33 +0500, Shaz wrote: > On Sat, May 15, 2010 at 10:50 PM, Shaz <shazalive@xxxxxxxxx> wrote: > > Dear list, > > > > I want to enable or disable the clipboard with booleans. Is there any > > available policy that can do this? If not please indicate the relevant place > > to start with. > > There was a flaw in this question that someone on selinux irc > explained to me. We need to control an application's access to > booleans. But I am still not sure how much and what effort it > requires? Pointer to tutorials or some guidance will be appreciated. If you want to allow changing Booleans on a coarse level (all or nothing), you just need to allow the setbool permission. The selinux_set_generic_booleans() or selinux_set_all_booleans() interfaces should be sufficient for this. If you want to be fine grained, you can label the selinuxfs entry for the boolean using the selinux_labeled_boolean() interface. For example if you wanted to label the "disable_clipboard" boolean: type my_boolean_t; selinux_labeled_boolean(my_boolean_t, disable_clipboard) Then you would need to allow rw permissions on the my_boolean_t file, in addition to the setbool permission. The caveat on this is that the selinux_labeled_boolean() call and type declaration must be in the base module, if you use a modular policy. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
