On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote:
Unfortunately, I have to allow for it to "work" now, but I
don't want do turn off selinux.
My first draft is this, by the way, and it's "working", so managers are off
my back.
ai.te:
policy_module(ai,0.0.1)
type ai_initrc_exec_t;
init_script_type(ai_initrc_exec_t);
type ai_exec_t;
userdom_executable_file(ai_exec_t);
unconfined_alias_domain(ai_t);
I don't think you want an alias (i.e. two names for the same domain) but
rather another domain that is unconfined as well. Use
unconfined_domain().
init_daemon_domain(ai_t,ai_exec_t)
type ai_log_t;
logging_log_file(ai_log_t)
manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
manage_files_pattern(ai_t,ai_log_t,ai_log_t)
ai.fc:
/etc/rc\.d/init\.d/ai -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiadmin -- gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiclient -- gen_context(system_u:object_r:ai_exec_t,s0)
/usr/r/bin/aiagent -- gen_context(system_u:object_r:ai_exec_t,s0)
/usr/r/logs(/.*)? gen_context(system_u:object_r:ai_log_t,s0)
I just need to figure out what kind of auditallow statement to put in so it will log what
wasn't specifically allowed only.
The biggest challenge for me, so far, is to figure out all those macros from
/usr/share/selinux/devel/include, I can't find any document that would have them all.
There used to be a /usr/share/doc/selinux-policy* directory that had the
HTML documentation for the policy - not sure where that is now in F10.
Latest interface docs are also online,
http://oss.tresys.com/docs/refpolicy/api/
Interesting question about auditallow; you might need a script to
generate the right set, maybe derived from audit2allow/sepolgen innards.
Watch out though - auditallow'ing everything will flood your system with
too many audit messages.
--
Stephen Smalley
National Security Agency