FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-01-2011, 03:10 PM
Konstantin Ryabitsev
 
Default Boolean to permit guest_u access

Hi, all:

I have the following in my .te file:

optional_policy(`
gen_require(`
type guest_t;
role guest_r;
')

my_app_run(guest_t, guest_r)
')

But really, I'd like to make it a boolean that an admin can toggle --
I'm not really keen on allowing guest_u to use this application by
default. Something like:

tunable_policy(`allow_guest_myapp_exec');

How would I combine tunable_policy with optional_policy?

Best,
--
Konstantin Ryabitsev
Systems Administrator
The Linux Foundation
Montréal, Québec

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-01-2011, 06:08 PM
Daniel J Walsh
 
Default Boolean to permit guest_u access

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/2011 11:10 AM, Konstantin Ryabitsev wrote:
> Hi, all:
>
> I have the following in my .te file:
>
> optional_policy(` gen_require(` type guest_t; role guest_r; ')
>
> my_app_run(guest_t, guest_r) ')
>
> But really, I'd like to make it a boolean that an admin can toggle
> -- I'm not really keen on allowing guest_u to use this application
> by default. Something like:
>
> tunable_policy(`allow_guest_myapp_exec');
>
> How would I combine tunable_policy with optional_policy?
>
> Best,

Well in a perfect world...

optional_policy(`
gen_require(`
type guest_t;
role guest_r;
')
tunable_policy(`allow_guest_myapp_exec', `
my_app_run(guest_t, guest_r)
')

')
Except this will not work, because you can not have role assignement
within a tunable. The latest policy from upstream is working around
this by using roleattributes.

But til now, I separated out my interface into to .

interface(`myapp_role',`
gen_require(`
type myapp_t;
')

role $1 types myapp_t;
')

optional_policy(`
gen_require(`
type guest_t;
role guest_r;
')
myapp_role(guest_r)
tunable_policy(`allow_guest_myapp_exec', `
my_app_domtrans(guest_t)
')

')

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7X0J8ACgkQrlYvE4MpobOBsgCg6XJSv/p7MaSWEkjdGTx7AyN0
1cwAnR5g7DQv02qBy7x2mKKLw5EJpIK6
=7Epz
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-01-2011, 06:34 PM
Miroslav Grepl
 
Default Boolean to permit guest_u access

On 12/01/2011 05:10 PM, Konstantin Ryabitsev wrote:
> Hi, all:
>
> I have the following in my .te file:
>
> optional_policy(`
> gen_require(`
> type guest_t;
> role guest_r;
> ')
>
> my_app_run(guest_t, guest_r)
> ')
>
> But really, I'd like to make it a boolean that an admin can toggle --
> I'm not really keen on allowing guest_u to use this application by
> default. Something like:
>
> tunable_policy(`allow_guest_myapp_exec');
>
> How would I combine tunable_policy with optional_policy?
For example:

optional_policy(`
tunable_policy(`xguest_use_bluetooth',`
bluetooth_dbus_chat(xguest_t)
')
')

>
> Best,

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org