On 05/15/2014 01:40 PM, dE wrote: > On 05/14/14 18:10, Daniel J Walsh wrote: >> As far as roles/type combinations, most system roles get assigned the >> system_r role. This is the vast majority of role/type combination. >> seinfo -rsystem_r -x | wc -l >> 776 >> >> User roles are assigned based on the _run interfaces, and are built into >> higher level interfaces to get assigned automatically when you define a >> new user_r as a user. >> >> seinfo -ruser_r -x | wc -l >> 175 >> seinfo -rguest_r -x | wc -l >> 95 > > Since the role has a set of allowed type it acts as an abstraction > between a new user and the types; simply assigning a user a certain > role is enough to define the allowed types a process can have under > the user. > > Since I don't know M4 macros, I would request you to clarify 1 more > question -- when a new type is defined, the macros are used to define > which roles will this new type be allowed in? Or is it the other way > around -- the definition of one of the role is modified so as to > include this new type? > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to > Selinux-request@xxxxxxxxxxxxx. The other way around. You allow a type to be reached within a role. role myrole_r types newtype_t; BTW This is for process types (domains). Usually we add role system_r types mytype_t; And then have an interface (m4 function call like: mytype_run(user_t, user_r) Then this interface would add a rule like role user_r types mytype_t; _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
