racoon denials
Daniel Fazekas
fdsubs at t-online.hu
Tue Aug 18 09:36:35 UTC 2009
On Aug 18, 2009, at 11:17, Dominick Grift wrote:
> try this rule instead of the domtrans_pattern():
> can_exec(racoon_t, setkey_exec_t)
Thanks, that did the trick.
Everything seems to be fine now with enforcing turned fully back on.
Here's for reference the myracoon.te we ended up with, in case it
helps somebody else too:
policy_module(myracoon, 0.0.4)
require { type racoon_t, setkey_exec_t; }
auth_read_shadow(racoon_t)
can_exec(racoon_t, setkey_exec_t)
fs_dontaudit_getattr_xattr_fs(racoon_t)
type racoon_tmp_t;
files_tmp_file(racoon_tmp_t)
manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
More information about the fedora-selinux-list
mailing list