Re: how to transition a daemon to its own domain
Thanks for that,
infortunately im still not there yet,
now the application runs in initrc_t (it was remaining in init_t)
this is how the policy looks like (from your and bigons advice):
########################################
#
# Declarations
#
require {
type init_t;
}
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)
######################
########################################
#
# myapp local policy
#
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(myapp_t)
#files_read_etc_files(myapp_t)
#miscfiles_read_localization(myapp_t)
i also tried to move the app to a more standard location, as well as
labelled the python intepreter's parent directory
as bin_t (its in a virtualenv), im not sure what else to try,
if you have any more clues let me know
On Sat, Jan 18, 2014 at 10:15 PM, Dominick Grift
<dominick.grift(a)gmail.com>wrote:
On Fri, 2014-01-17 at 10:39 +0300, jiun bookworm wrote:
> I have been attempting to get my app to transition to a different
> domain unsuccessfully,
>
> init_daemon_domain(myapp_t, myapp_unit_file_t);
The transition does not go on myapp_unit_file_t instead it goes on
myapp_exec_t
> type myapp_exec_t;
> files_type(myapp_exec_t);
So something like this to get started:
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)
As for the unit file, not sure off the top of my head but something like
this:
type myapp_unit_file_t;
systemd_unit_file(systemd_unit_file_t)
The unit file does not get executed, just read. So the transition cant
go on that file
Attachments:
- attachment.html (text/html — 2.3 KB)