FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-19-2008, 07:26 PM
 
Default writing a policy. Confused about domain transition.

Hi,
I am practising to write a policy for a music player called soundjuicer.

Policy Tool I used: selinux-polgengui

The beginning part of soundjuicer1.te is as follows:
----------------------------------------------------
type soundjuicer1_t;
type soundjuicer1_exec_t;
application_domain(soundjuicer1_t, soundjuicer1_exec_t)
role user_r types soundjuicer1_t;
.....
-------------------------------------------------------

The context of login id is (id -Z):
user_u:user_r:user_t

I loaded the module. And then I run the music player both from
terminal and GUI. I checked the context of the soundjuicer process.

The context of the process is : user_u:user_r:user_t

Question:
With the context for the process, user_u:user_r:user_t, can I say that
the security policy for the program is not being enforced, because of
the failure of domain transition?


Should the context of the process be: user_u:user_r:soundjuicer1_t?

thanks
Yiru Li

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-30-2008, 06:44 PM
Daniel J Walsh
 
Default writing a policy. Confused about domain transition.

yiruli@ccsl.carleton.ca wrote:
> Hi,
> I am practising to write a policy for a music player called soundjuicer.
>
> Policy Tool I used: selinux-polgengui
>
> The beginning part of soundjuicer1.te is as follows:
> ----------------------------------------------------
> type soundjuicer1_t;
> type soundjuicer1_exec_t;
> application_domain(soundjuicer1_t, soundjuicer1_exec_t)
> role user_r types soundjuicer1_t;
> .....
> -------------------------------------------------------
>
> The context of login id is (id -Z):
> user_u:user_r:user_t
>
> I loaded the module. And then I run the music player both from terminal
> and GUI. I checked the context of the soundjuicer process.
> The context of the process is : user_u:user_r:user_t
>
> Question:
> With the context for the process, user_u:user_r:user_t, can I say that
> the security policy for the program is not being enforced, because of
> the failure of domain transition?
>
> Should the context of the process be: user_u:user_r:soundjuicer1_t?
>
> thanks
> Yiru Li
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You need to write a rule like


gen_require(`
type user_t;
role user_r;
type user_tty_device_t, user_devpts_t;
')

soundjuicer1_run(user_t, user_r, { user_tty_device_t user_devpts_t })

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org