how to transition a daemon to its own domain

Sun Jan 19 06:19:38 UTC 2014

Thanks for that,
infortunately im still not there yet,
now the application runs in  initrc_t  (it  was  remaining in init_t)
this is how the policy looks like  (from your  and bigons advice):

########################################
#
# Declarations
#
require {
        type init_t;
}

type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)

######################
########################################
#
# myapp local policy
#
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(myapp_t)

#files_read_etc_files(myapp_t)

#miscfiles_read_localization(myapp_t)

i also tried to move the app to a more standard location,  as well as
labelled the python intepreter's parent directory
as bin_t  (its in a virtualenv),  im not sure what else to try,
if you have any more clues let me know

On Sat, Jan 18, 2014 at 10:15 PM, Dominick Grift
<dominick.grift at gmail.com>wrote:

> On Fri, 2014-01-17 at 10:39 +0300, jiun bookworm wrote:
> > I have been attempting to get my app to transition to a different
> > domain unsuccessfully,
>
>
> >
> > init_daemon_domain(myapp_t, myapp_unit_file_t);
>
> The transition does not go on myapp_unit_file_t instead it goes on
> myapp_exec_t
>
> > type myapp_exec_t;
> > files_type(myapp_exec_t);
>
> So something like this to get started:
>
> type myapp_t;
> type myapp_exec_t;
> init_daemon_domain(myapp_t, myapp_exec_t)
>
> As for the unit file, not sure off the top of my head but something like
> this:
>
> type myapp_unit_file_t;
> systemd_unit_file(systemd_unit_file_t)
>
> The unit file does not get executed, just read. So the transition cant
> go on that file
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140119/b5f073d9/attachment.html>