On 05/14/2014 12:04 PM, Mladen Sekara wrote: > What would be the best approach to attack this: > > One application, multiple components/daemons. > Some files are specific to a daemon, some are shared between them (eg. > log files are unique, some config files, keystores... are shared etc.) > > All daemons start from a single init script and I am not allowed to > change it. > > Options: > > 1. Create policy for each component and then domain transition between > them (what about shared files???) > 2. Create a single policy for multiple daemons? > > Any advice... Given that there are some resources private to each daemon and the daemons may have different permission requirements, I'd suggest creating a separate domain per daemon and just defining a set of shared types for the shared resources. You can define them all in a single policy module; there is no requirement that there only be a single domain in each policy module. If you then find that some of the domains are almost identical, you can coalesce them. But you likely won't know that a priori and it is easier to coalesce domains/types than to split them. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
