example of a domain with transition policy
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 30 12:50:12 UTC 2009
On Thu, 2009-01-29 at 14:43 -0800, Vadym Chepkov wrote:
> > I don't think you want an alias (i.e. two names for the
> > same domain) but
> > rather another domain that is unconfined as well. Use
> > unconfined_domain().
>
> sshd_t is defined this way in Redhat policy, I learn from the masters :)
>
> $ cd /home/vvc/rpmbuild/BUILD/serefpolicy-2.4.6/policy/modules/services
> $ grep sshd_t ssh.te |grep domain
> unconfined_alias_domain(sshd_t)
> init_system_domain(sshd_t,sshd_exec_t)
That has changed in newer policies. But regardless, if you want to be
able to see allows/denies on ai_t, you can't make it an alias - it needs
to be its own distinct type. Aliases are just turned into the same
underlying type internally, so they will still show up as unconfined_t
in audit messages and ps -Z output.
> >
> > Interesting question about auditallow; you might need a
> > script to
> > generate the right set, maybe derived from
> > audit2allow/sepolgen innards.
> > Watch out though - auditallow'ing everything will flood
> > your system with
> > too many audit messages.
>
> Exactly, I want to avoid it.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list