On 05/16/14 00:38, Daniel J Walsh wrote:
On 05/15/2014 01:40 PM, dE wrote:
On 05/14/14 18:10, Daniel J Walsh wrote:
As far as roles/type combinations, most system roles get assigned the
system_r role. This is the vast majority of role/type combination.
seinfo -rsystem_r -x | wc -l
776
User roles are assigned based on the _run interfaces, and are built into
higher level interfaces to get assigned automatically when you define a
new user_r as a user.
seinfo -ruser_r -x | wc -l
175
seinfo -rguest_r -x | wc -l
95
Since the role has a set of allowed type it acts as an abstraction
between a new user and the types; simply assigning a user a certain
role is enough to define the allowed types a process can have under
the user.
Since I don't know M4 macros, I would request you to clarify 1 more
question -- when a new type is defined, the macros are used to define
which roles will this new type be allowed in? Or is it the other way
around -- the definition of one of the role is modified so as to
include this new type?
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to
Selinux-request@xxxxxxxxxxxxx.
The other way around. You allow a type to be reached within a role.
role myrole_r types newtype_t;
BTW This is for process types (domains).
Usually we add
role system_r types mytype_t;
And then have an interface (m4 function call like:
mytype_run(user_t, user_r)
Then this interface would add a rule like
role user_r types mytype_t;
Ok. Thanks for clarifying that.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
