Naive Qs about selinux modules

Johnson, Richard Richard.Johnson at stratus.com
Mon Sep 8 22:23:05 UTC 2008


Q:  Can any SELinux directive be put into a policy smodule, or are there
restrictions?

 

For example: suppose I wanted to:

  allow snmpd_t apmd_t:process ptrace;

  allow snmpd_t auditd_t:process ptrace;

  allow snmpd_t automount_t:process ptrace;

 [ ...and so on ]

   

so that snmpd could access mib .1.3.6.1.2.1.6. (advisability
notwithstanding) Could these directives be put into a policy module even
though the base policy already has an snmpd i/f?

 

Q.  Can a module define new booleans?  If so are they persistent if the
module is unloaded and reloaded?

 

For example; an snmpd policy module with an snmpd_can_ptrace boolean.
Are there namespace conventions?

 

Q. What happens if the base policy (or another policy modules) is
updated with overlapping statements. 

 

Am I correct in believing that the set of allows is the union of the
base allows + all module allows?

 

--rich

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20080908/d33406db/attachment.html 


More information about the selinux mailing list