On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote:
Unfortunately, I have to allow for it to "work" now, but I
don't want do turn off selinux.
My first draft is this, by the way, and it's "working", so managers are off
I don't think you want an alias (i.e. two names for the same domain) but
rather another domain that is unconfined as well. Use
/etc/rc\.d/init\.d/ai -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiadmin -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiclient -- gen_context(system_u:object_r:ai_exec_t,s0)
/usr/r/bin/aiagent -- gen_context(system_u:object_r:ai_exec_t,s0)
I just need to figure out what kind of auditallow statement to put in so it will log what
wasn't specifically allowed only.
The biggest challenge for me, so far, is to figure out all those macros from
/usr/share/selinux/devel/include, I can't find any document that would have them all.
There used to be a /usr/share/doc/selinux-policy* directory that had the
HTML documentation for the policy - not sure where that is now in F10.
Latest interface docs are also online,
Interesting question about auditallow; you might need a script to
generate the right set, maybe derived from audit2allow/sepolgen innards.
Watch out though - auditallow'ing everything will flood your system with
too many audit messages.
National Security Agency