writing a policy. Confused about domain transition.
Daniel J Walsh
dwalsh at redhat.com
Wed Jul 30 18:44:28 UTC 2008
yiruli at ccsl.carleton.ca wrote:
> Hi,
> I am practising to write a policy for a music player called soundjuicer.
>
> Policy Tool I used: selinux-polgengui
>
> The beginning part of soundjuicer1.te is as follows:
> ----------------------------------------------------
> type soundjuicer1_t;
> type soundjuicer1_exec_t;
> application_domain(soundjuicer1_t, soundjuicer1_exec_t)
> role user_r types soundjuicer1_t;
> .....
> -------------------------------------------------------
>
> The context of login id is (id -Z):
> user_u:user_r:user_t
>
> I loaded the module. And then I run the music player both from terminal
> and GUI. I checked the context of the soundjuicer process.
> The context of the process is : user_u:user_r:user_t
>
> Question:
> With the context for the process, user_u:user_r:user_t, can I say that
> the security policy for the program is not being enforced, because of
> the failure of domain transition?
>
> Should the context of the process be: user_u:user_r:soundjuicer1_t?
>
> thanks
> Yiru Li
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You need to write a rule like
gen_require(`
type user_t;
role user_r;
type user_tty_device_t, user_devpts_t;
')
soundjuicer1_run(user_t, user_r, { user_tty_device_t user_devpts_t })
More information about the selinux
mailing list