write selinux policy - hechao55429

All of lore.kernel.org
 help / color / mirror / Atom feed

From: hechao55429 <hechao55429@126.com>
To: selinux <selinux@tycho.nsa.gov>
Subject: write selinux policy
Date: Sat, 16 May 2009 22:54:10 +0800 (CST)	[thread overview]
Message-ID: <17697801.901261242485650930.JavaMail.coremail@bj126app52.126.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 943 bytes --]

hello everyone:
   I'm now studying selinux policy on fedora 10  .  I wrote a policy module like this:
        myapp.if
## <summary>this si to constraint gedit</summary>
        myapp.te
policy_module(myapp,1.0.0) 
type myapp_t;
# Access to shared libraries
libs_use_ld_so(myapp_t)
libs_use_shared_libs(myapp_t)
miscfiles_read_localization(myapp_t)
type myapp_exec_t;
type myapp_rw_t;
files_type(myapp_exec_t)
files_type(myapp_rw_t)
init_domain(myapp_t,myapp_exec_t)  
allow myapp_t myapp_rw_t :file ~{write};
  myapp.fc
/usr/bin/gedit -- gen_context(system_u:object_r:myapp_exec_t,s0)  
/root/share/a/as -- gen_context(system_u:object_r:myapp_rw_t,s0)
Then i compiled it and it created myapp.pp with no error.
And then i used the command that semodule -i myapp.pp and it succeeded.
 Then i relabeled the files by using the restorecon command and reboot .
But after it reboot ,the  /usr/bin/gedit  still  ran on the unconfined_t domain. 
why?

[-- Attachment #2: Type: text/html, Size: 1500 bytes --]

next             reply	other threads:[~2009-05-16 14:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-05-16 14:54 hechao55429 [this message]
2009-05-16 16:02 ` write selinux policy Joshua Brindle
2009-05-16 16:25 ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=17697801.901261242485650930.JavaMail.coremail@bj126app52.126.com \
    --to=hechao55429@126.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.