Creating and packaging a new policy module
Miroslav Grepl
mgrepl at redhat.com
Thu Aug 22 11:51:30 UTC 2013
On 08/22/2013 09:25 AM, Dominick Grift wrote:
> On Thu, 2013-08-22 at 06:33 +0000, Juan Orti Alcaine wrote:
>> El 2013-08-20 11:13, Dominick Grift escribió:
>>> upstream will probably only accept it with the use of a
>>> dadvd_domtrans()
>>> but for your solution for now you could do something like this:
>>>
>>> optional_policy(`
>>> gen_require(`
>>> type radvd_exec_t, radvd_t;
>>> ')
>>> domtrans_pattern(gogoc_t, radvd_exec_t, radvd_t)
>>> ')
>>>
>> I have updated the policy, could you please take a look at it and give
>> me your oppinion?
> sysnet_exec_ifconfig(gogoc_t)
>
> its probably worth considering a domain transition to ifconfig instead
> because:
>
> allow gogoc_t self:capability { net_admin net_raw kill };
>
> Are probably needed by ifconfig, and by running ifconfig in the ifconfig
> domain, you might be able to remove these permissions from gogoc_t
>
> However if you do decide to domain transition to ifconfig then its
> probably a good idea to start all over, since other permissions you
> added for gogoc_t might no longer be needed because they were added for
> ifconfig
Yes, basically it could be decided from AVC msgs which you were getting.
>> http://pkgs.fedoraproject.org/cgit/gogoc.git/tree/gogoc.te
>> http://pkgs.fedoraproject.org/cgit/gogoc.git/tree/gogoc.if
>> http://pkgs.fedoraproject.org/cgit/gogoc.git/tree/gogoc.fc
>>
>> Thank you,
>> Juan.
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list