Boolean to permit guest_u access
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 1 19:08:15 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/01/2011 11:10 AM, Konstantin Ryabitsev wrote:
> Hi, all:
>
> I have the following in my .te file:
>
> optional_policy(` gen_require(` type guest_t; role guest_r; ')
>
> my_app_run(guest_t, guest_r) ')
>
> But really, I'd like to make it a boolean that an admin can toggle
> -- I'm not really keen on allowing guest_u to use this application
> by default. Something like:
>
> tunable_policy(`allow_guest_myapp_exec');
>
> How would I combine tunable_policy with optional_policy?
>
> Best,
Well in a perfect world...
optional_policy(`
gen_require(`
type guest_t;
role guest_r;
')
tunable_policy(`allow_guest_myapp_exec', `
my_app_run(guest_t, guest_r)
')
')
Except this will not work, because you can not have role assignement
within a tunable. The latest policy from upstream is working around
this by using roleattributes.
But til now, I separated out my interface into to .
interface(`myapp_role',`
gen_require(`
type myapp_t;
')
role $1 types myapp_t;
')
optional_policy(`
gen_require(`
type guest_t;
role guest_r;
')
myapp_role(guest_r)
tunable_policy(`allow_guest_myapp_exec', `
my_app_domtrans(guest_t)
')
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7X0J8ACgkQrlYvE4MpobOBsgCg6XJSv/p7MaSWEkjdGTx7AyN0
1cwAnR5g7DQv02qBy7x2mKKLw5EJpIK6
=7Epz
-----END PGP SIGNATURE-----
More information about the selinux
mailing list