On Fri, 2006-07-21 at 14:14 -0700, Michael Thomas wrote:
> You should check that the transition has happened by running ps
with the
> "-Z" option to show the process context when you're running the
> application.
It shows up as crossfire_exec_t because...
crossfire_exec_t? Not crossfire_t?
> Note that most things running confined under targeted policy are
started
> from initscripts and there is no transition from unconfined_t needed (or
> wanted). That's not the case here though.
...it is started from an init script. Normal (unconfined) users should
not be starting this by hand. Instead, normal users will run the client
application which connects to this server. In this case, it sounds like
I don't need the rule to transition from unconfined_t.
Right; I must have missed the initscript in the files list.
So yes, you are correct that you don't need (or even want) the transition from
unconfined_t.
>>Some things that would be nice to clarify:
>>
>>Should selinux be added as a subpackage or automatically included in the
>>base package?
>
>
> I don't have a strong opinion either way on this. I've tended to stick
> to keeping everything together because I find it easier to manage that
> way. As long as the SELinux bits don't get in the way of people not
> using them, I don't think it's a problem.
I think I would prefer to use a separate package (not integrated with
the base package), so that the policy can be turned on and off by simply
installing/uninstalling the -selinux package.
Bear in mind that there should be a crossfire_disable_trans boolean that
would turn off the policy (or rather the transition to crossfire_t) when
set, without having to uninstall the policy.
Paul.