Still unconfined?

Daniel J Walsh dwalsh at redhat.com
Wed Nov 29 18:37:37 UTC 2006


Daniel J Walsh wrote:
> Jimmy wrote:
>> Hi!
>>
>> Im trying to learn SELinux from bottom up, but having some 
>> fundamental issues regarding the basics.
>> Im trying to load the mozilla.pp module in targeted, which works 
>> fine. I set the correct contexts with restorecon on firefox-bin. But 
>> when i run the binary it stills runs in unconfined_t when looking at 
>> running processes (ps auxZ).
>> Ivé tried to compile it myself from different sources, and load it, 
>> but get the same results all the time. Then i tried with netutils.pp 
>> and discovered the same problem witrh ping.
>>
>> Why doesnt firefox get transfered to the $1_mozilla_t domain??? I 
>> know im making some really fundamental mistake somewhere, but i cant 
>> find out what it is!
>>
>> With best regards / Tomten
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> You need to write a transition rule from unconfined_t to mozilla_t
>
> Something like
>
> mozilla_per_role_template(user, unconfined_t, system_r)
>
>
> But there is a bug in policy right now
>
>    gen_require(`
>        type mozilla_exec_t;
>        type mozilla_conf_t;
>    ')
>
> Needs to be added to the mozilla_per_role_template interface definition.
>
Looking further into this, I realize there is a lot of work to be done 
to make this happen.  I think it is better to work on a simpler domain.  
I plan on adding a confinement of mozilla in FC7.  But right now an 
concentrating on RHEL 5/FC6
>
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list






More information about the fedora-selinux-list mailing list