Odd boolean in /etc/selinux/strict/booleans?

Ivan Gyurdiev ivg2 at cornell.edu
Thu Mar 31 18:40:03 UTC 2005


>  I think we need to maybe stop marking 
> certain defined
> domains as exec_type.  To prevent all users from being able to execute 
> the application
> without a transition. 

If you want to prevent all users from being able to execute the app
w/out a transition, then disable_trans to false, and that should
suffice, shouldn't it?

> Even in your example I disable-trans for games 
> and then accidentally
> run some game as sysadm, bad things can happen.

So what you really want is to always transition for sysadm,
regardless of what disable_trans is set to.

if (! disable_games_trans) { 
domain_auto_trans($1_t, games_exec_t, $1_games_t)
}
ifelse($1, sysadm, `
domain_auto_trans(sysadm_t, games_exec_t, sysadm_games_t)
')

-- 
Ivan Gyurdiev <ivg2 at cornell.edu>
Cornell University




More information about the fedora-selinux-list mailing list