On 02/19/2015 03:17 PM, Tracy Reed wrote: > On Thu, Feb 19, 2015 at 11:46:18AM PST, Stephen Smalley spake thusly: >> Domains with those attributes can override the corresponding MCS >> constraint. Depending on version, seinfo --constrain will dump the >> actual constraints for you. In any event, I suspect you need to assign >> the mcsuntrustedproc attribute to your web application domains if you >> want them to be constrained by MCS at all, plus you'd need to run them >> with specific category sets. > > How do I assign mcsuntrustedproc attribute to my web application domain? I know > how to set booleans, categories, etc. but have not yet encountered needing to > set an attribute for a domain. Google for "set selinux attribute" turns up > stuff about setting user, role, type etc. as attributes but nothing about > setting attributes such as mcsuntrustedproc. You need to create a policy module and install it. You can either use the refpolicy interface for making it MCS constrained (look in /usr/share/selinux/devel/include/kernel/mcs.if after installing selinux-policy-devel), or just directly put a typeattribute statement into your policy module. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
