I don't see how the policy that you have pasted below could possibly
work because you did not even declare a domain type (type ai_t;)
Also there are a bunch of syntax errors there.
If you would have visited us on IRC, than chances are that you would
have a workable policy by now.
On Thu, 2009-01-29 at 22:44 +0100, Dominick Grift wrote:
The source policy has all the info and documentation / examples you
need. Eclipse-slide provides easy access.
On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote:
> Unfortunately, I have to allow for it to "work" now, but I don't want
do turn off selinux.
> My first draft is this, by the way, and it's "working", so managers
are off my back.
> type ai_initrc_exec_t;
> type ai_exec_t;
> type ai_log_t;
> /etc/rc\.d/init\.d/ai -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiadmin -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiclient -- gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/bin/aiagent -- gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/logs(/.*)? gen_context(system_u:object_r:ai_log_t,s0)
> I just need to figure out what kind of auditallow statement to put in so it will log
what wasn't specifically allowed only.
> The biggest challenge for me, so far, is to figure out all those macros from
/usr/share/selinux/devel/include, I can't find any document that would have them all.
> Sincerely yours,
> Vadym Chepkov