Naive Qs about selinux modules
Johnson, Richard
Richard.Johnson at stratus.com
Mon Sep 8 22:23:05 UTC 2008
Q: Can any SELinux directive be put into a policy smodule, or are there
restrictions?
For example: suppose I wanted to:
allow snmpd_t apmd_t:process ptrace;
allow snmpd_t auditd_t:process ptrace;
allow snmpd_t automount_t:process ptrace;
[ ...and so on ]
so that snmpd could access mib .1.3.6.1.2.1.6. (advisability
notwithstanding) Could these directives be put into a policy module even
though the base policy already has an snmpd i/f?
Q. Can a module define new booleans? If so are they persistent if the
module is unloaded and reloaded?
For example; an snmpd policy module with an snmpd_can_ptrace boolean.
Are there namespace conventions?
Q. What happens if the base policy (or another policy modules) is
updated with overlapping statements.
Am I correct in believing that the set of allows is the union of the
base allows + all module allows?
--rich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20080908/d33406db/attachment.html
More information about the selinux
mailing list