> What exactly do you want myDomain_t to be able to do, and to what target
> processes? I doubt you want to allow this for all of these domains.
> Which target processes do you want myDomain_t to be able to look up /
> kill?
>
> The relevant constraint here would be in policy/mcs, as your process is
> running with a MCS level of s0 aka SystemLow but the target is running
> s0-s0:c0.c1023 aka SystemHigh. Type attribute is mcsptraceall,
> refpolicy interface is mcs_ptrace_all(). Alternatively you could run
> your process fully ranged to SystemHigh and avoid the need to add this
> attribute.
>
> --
> Stephen Smalley
> National Security Agency
Stephen,
Basically I need to be able to run the equivalent of '/sbin/service *
status' for any service, and eventually start/stop as well. I *think* I
may have cracked a good chunk of it (the status portion) by adding
'domain_dontaudit_ptrace_all_domains()' and 'allow myDomain_t pidfile:
{read getattr ioctl}'.
I guess my understanding of SELinux is missing how the levels apply to a
basic targeted policy. I had thought they didn't apply. Eventually we
do want our policy to support MLC/MCS and ultimately the LSPP. If we're
not running MCS/MLS does the SystemLow/SystemHigh ranges actually apply?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
