On Thu, 2009-01-29 at 14:43 -0800, Vadym Chepkov wrote:
> I don't think you want an alias (i.e. two names for the
> same domain) but
> rather another domain that is unconfined as well. Use
> unconfined_domain().
sshd_t is defined this way in Redhat policy, I learn from the masters :)
$ cd /home/vvc/rpmbuild/BUILD/serefpolicy-2.4.6/policy/modules/services
$ grep sshd_t ssh.te |grep domain
unconfined_alias_domain(sshd_t)
init_system_domain(sshd_t,sshd_exec_t)
That has changed in newer policies. But regardless, if you want to be
able to see allows/denies on ai_t, you can't make it an alias - it needs
to be its own distinct type. Aliases are just turned into the same
underlying type internally, so they will still show up as unconfined_t
in audit messages and ps -Z output.
>
> Interesting question about auditallow; you might need a
> script to
> generate the right set, maybe derived from
> audit2allow/sepolgen innards.
> Watch out though - auditallow'ing everything will flood
> your system with
> too many audit messages.
Exactly, I want to avoid it.
--
Stephen Smalley
National Security Agency