Russell Coker wrote:
corenet_tcp_connect_mysqld_port(foo_milter_t) I think that we need a way for an interface file to recommend itself to have a higher priority for certain matches. For example the above policy line does permit foo_milter_t to talk to a MySQL server on a different system. But you probably want something like the following: mysql_tcp_connect(foo_milter_t) optional_policy(` mysql_stream_connect(foo_milter_t) ') So it seems that audit2allow should know that mysql_tcp_connect() is a preferred option to corenet_tcp_connect_mysqld_port() and that having an option to connect to a Unix domain socket would be good. Also maybe we should have a single interface with an optional section for MySQL client access.
Agreed. This seems like it could be solved if sepolgen just automatically demoted corenet_* since that would probably be the majority of cases where this happens (since corenet is allowed to essentially break abstractions).
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
