On 03/01/2010 06:46 PM, Scott Salley wrote:
I have a project with multiple daemons (around 6) which share many
common features (they access the network, create and maintain daemon
specific files, access random numbers, etc...), though they each deal
with a different set of tasks (monitoring network resources, providing
network file sharing services, providing network authentication
services, etc).
Is it okay to use the interface file to define a set of common
properties for these daemons to avoid listing everything out for each
daemon? If not the interface file, then how should a common set of
patterns for these daemons be defined?
I usually use attributes for that. For example let us assume you have a
suite of apps to confine.
In that case you could assign an attribute mysuite_domains to each
domain type.
Then you can write the policy that all of the apps in your suite have in
common using the mysuite_domains attirbute instead of the individual types.
You can find some examples in my policy repository:
git://84.245.6.206/selinux-modules.git
And in particular the telepathy.te file.
########################################
#
# Telepathy global personal policy.
#
allow tp_domains self:process { getsched signal };
allow tp_domains self:fifo_file rw_fifo_file_perms;
.. etc, etc ..
I found listing the rules for each daemon to be bug prone and tedious.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux