hechao55429 wrote:
> hello everyone:
>    I'm now studying selinux policy on fedora 10  .  I wrote a policy 
> module like this:
>         myapp.if
> ## <summary>this si to constraint gedit</summary>
>         myapp.te
> policy_module(myapp,1.0.0)
> type myapp_t;
> # Access to shared libraries
> libs_use_ld_so(myapp_t)
> libs_use_shared_libs(myapp_t)
> miscfiles_read_localization(myapp_t)
> type myapp_exec_t;
> type myapp_rw_t;
> files_type(myapp_exec_t)
> files_type(myapp_rw_t)
> init_domain(myapp_t,myapp_exec_t)  
> allow myapp_t myapp_rw_t :file ~{write};
>   myapp.fc
> /usr/bin/gedit -- gen_context(system_u:object_r:myapp_exec_t,s0)  
> /root/share/a/as -- gen_context(system_u:object_r:myapp_rw_t,s0)
> Then i compiled it and it created myapp.pp with no error.
> And then i used the command that semodule -i myapp.pp and it succeeded
>  Then i relabeled the files by using the restorecon command and reboot .
> But after it reboot ,the  /usr/bin/gedit  still  ran on the unconfined_t 
> domain.
> why?

you didn't specify a type transition from unconfined, you can do this in your 
module using the unconfined_run_to() interface.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.