On 10/30/2014 12:37 PM, peter enderborg wrote: > Hi! Im trying to see where the access control for some socket objects > occurs. > And it seems not to be very detailed resolution for sockets. For some > protocols there is NOTHING. I did a test. I created a own protocol. > AF_PEG_IPC. > This can be accessed without specific type definition or contexts. It > need socket access. In my system there is about 20 different protocols. > They are "all or nothing". > > The question is how do I select which root task that can access > AF_PEG_IPC and who can not. In selinux root is supposed to be > in locked container. SELinux applies a set of general socket permission checks (e.g. create, bind, connect, ...) for all sockets, but it can only distinguish among types of sockets for which security classes have been defined. All other socket address families are lumped together into the generic socket security class. If you want to be able to control this AF_PEG_IPC separately, you need to introduce a security class for it. See this similar answer on the seandroid-list, http://marc.info/?l=seandroid-list&m=139056956927985&w=2 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
