Policy redundancy and layout
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 1 18:41:02 UTC 2010
On 03/01/2010 12:46 PM, Scott Salley wrote:
>
> I have a project with multiple daemons (around 6) which share many
> common features (they access the network, create and maintain daemon
> specific files, access random numbers, etc...), though they each deal
> with a different set of tasks (monitoring network resources, providing
> network file sharing services, providing network authentication
> services, etc).
>
> Is it okay to use the interface file to define a set of common
> properties for these daemons to avoid listing everything out for each
> daemon? If not the interface file, then how should a common set of
> patterns for these daemons be defined?
>
> I found listing the rules for each daemon to be bug prone and tedious.
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes this is done with apache cgi scripts for example, nagios.
A lot of time these use templates to generate the types. Also lookinto
using attributes to associate rules with the types
type $1_t, MYDOMAIN;
Then in the te file you add rules like
files_read_etc_files(MDOMAIN)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20100301/cd701411/attachment.html
More information about the selinux
mailing list