I got a quick info how to start writing policy for OpenLMI providers, see below. Please try so for you providers and send AVCs to Mirek Grepl.
I can only add: 0.1: Install necessary packages # yum install selinux-policy-devel
0.2: read /usr/share/doc/tog-pegasus-2.12.1/README.RedHat.Security
0.3: based on the document above: # cp /usr/share/doc/tog-pegasus-2.12.1/cmpiOSBase_OperatingSystemProvider-cimprovagt.example /usr/libexec/pegasus/<yourprovider>-cimprovagt (and package the file)
# chmod 755 /usr/libexec/pegasus/<yourprovider>-cimprovagt
Jan
-------- Original Message -------- Subject: how to get a policy for openlmi-* Date: Wed, 29 May 2013 10:16:36 +0200 From: Miroslav Grepl mgrepl@redhat.com To: jsafrane@redhat.com
1. create own policy for a provider
# cat mypol.te policy_module(mypol,1.0)
pegasus_openlmi_domain_template(providername)
and run
# make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp # chcon -t pegasus_openlmi_providername_exec_t PATH_TO/providername
test it and run
# ausearch -m avc -ts recent
and send me AVC msgs.
For example we define in the policy
pegasus_openlmi_domain_template(account)
If you want to activate the policy for this account provider, you need to run
# chcon -t pegasus_openlmi_account_exec_t /usr/libexec/pegasus/cmpiLMI_Account-cimprovagt