example of a domain with transition policy
Dominick Grift
domg472 at gmail.com
Thu Jan 29 21:44:49 UTC 2009
The source policy has all the info and documentation / examples you
need. Eclipse-slide provides easy access.
On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote:
> Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux.
>
> My first draft is this, by the way, and it's "working", so managers are off my back.
>
> ai.te:
>
> policy_module(ai,0.0.1)
>
> type ai_initrc_exec_t;
> init_script_type(ai_initrc_exec_t);
>
> type ai_exec_t;
> userdom_executable_file(ai_exec_t);
>
> unconfined_alias_domain(ai_t);
>
> init_daemon_domain(ai_t,ai_exec_t)
>
> type ai_log_t;
> logging_log_file(ai_log_t)
>
> manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
> manage_files_pattern(ai_t,ai_log_t,ai_log_t)
>
> ai.fc:
>
> /etc/rc\.d/init\.d/ai -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiadmin -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiclient -- gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/bin/aiagent -- gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/logs(/.*)? gen_context(system_u:object_r:ai_log_t,s0)
>
> I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only.
>
> The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all.
>
>
> Sincerely yours,
> Vadym Chepkov
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/914bc3c8/attachment.sig>
More information about the fedora-selinux-list
mailing list