On 11/07/2016 04:01 PM, Stephen Smalley wrote:
I suppose that's true, depending on what it is that you have to allow
between foo_t and bar_t, e.g. you can allow foo_t to connect to a bar_t
socket or similar without allowing it to connect to unconfined_t
sockets.
Exactly.
If you truly want bar_t to be unconfined, you can always just
have it call the unconfined_domain() interface in refpolicy, e.g.
unconfined_domain(bar_t), and it will inherit all of the unconfined
domain rules.
Thanks for the info.
It would be great (and this would be my last question), if you could
give a pointer to a complete documentation of refpolicy macros and
interfaces - I could find the kernel rules, and that it makes use of m4
macros, but not a complete documentation.
Yes, it is better if you have some idea of the expected functionality of
bar, whether from source code, static analysis of the binary, strace, or
documentation, and can then define up front policy that corresponds.
I have some idea of the functionality, but I do not have access to all
details of the code. It is a closed source commercial product.
I think I'll ask the supplier for more info (and eventually to support
selinux themselves)
Thanks a lot for your info.
M. Manfredini
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
