On 04/04/2016 03:15 PM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/29/2016 08:00 PM, Daniel J Walsh wrote:
I investigated this a little further.
manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t,
svirt_sandbox_file_t)
define(`manage_chr_files_pattern',`
allow $1 self:capability mknod;
allow $1 $2:dir rw_dir_perms;
allow $1 $3:chr_file manage_chr_file_perms;
')
Ok Makes sense but why didn't this come up with the svirt_sandbox_domain
attribute
as opposed to container_t? Maybe this is a change in cil.
I guess I should not make this the default for svirt_sandbox_domain, and
only add it for
specific domains.
Thanks Dominick.
If I write a policy file like
===============================================
policy_module(container, 1.0) gen_require(` attribute
svirt_sandbox_domain; ')
type foobar_t; domain_type(foobar_t) typeattribute foobar_t
svirt_sandbox_domain;
===============================================
I get
sesearch -A -s foobar_t | grep capa allow foobar_t foobar_t :
capability mknod ;
If I remove the typeattribute line foobar_t no longer has mknod.
I think this is a compiler problem.
On 03/29/2016 10:53 AM, Daniel J Walsh wrote:
When I compile and install this policy
--------------------------------------------------------------- #
cat /tmp/container.te policy_module(container, 1.0)
virt_sandbox_domain_template(container)
----------------------------------------------------------------
I end up with mknod capability.
sesearch -A -s container_t -t container_t -c capability Found 1
semantic av rules: allow container_t container_t : capability
mknod ;
But I didn't add mknod to the policy.
grep mknod tmp/container.tmp class capability { chown
dac_override dac_read_search fowner fsetid kill setgid setuid
setpcap linux_immutable net_bind_service net_broadcast net_admin
net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot
sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource
sys_time sys_tty_config mknod lease audit_write audit_control
setfcap };
Any ideas?
_______________________________________________ Selinux mailing
list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to
Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing
"help" to Selinux-request@xxxxxxxxxxxxx.
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJXAr1YAAoJECV0jlU3+Udp15kL/igUkHF8kUkSzGaEVnFbArtR
l63tgknNlnzoRF+s0bjSFYuYBRTefQpa/G23j/sIEQmKvVkRz8DlGQERqtSpPLZ2
sRNRlA3UA3vLqhk+RhGwxoEjdm8/MA/weU9VGhSHWsd0XrhYtOnI3metotgm422Q
YuQEtib+YQ/ldnEZ/2987DJy6Pg3leOBMn1JE+e7v3mFZDyzEfYI6IGR6VR+WEau
MooO6slYI7ftac4YnqzvUdTeANhYG4h2wfNA0qVxNVty4jS4mT3uCOhu/UmssnX/
fMviLYA2YJAkg0g6rvUnJJqFe0uCHMiVsMDwmR03I324BakxWCDpqnRhj5vxmYfx
ZW8gh3Xg+ZPyVoC5njgm9KkD0/6pgzwGEB3ayBIVgIVi8sVsNvzhJM2dILphT46K
OhFcSWX98xQY4G5P3/vOXx86nN4leP+Uw25eyZbStOFNscBK2LnZArQq65y4i6he
Qqv4V6xwCBRT+3u8VbjtgGzByeKEvkWvk7GMC17tgA==
=28BA
-----END PGP SIGNATURE-----
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.