From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from msux-gh1-uea01.nsa.gov (msux-gh1-uea01.nsa.gov [63.239.67.1]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id n4GG3IEL028118 for ; Sat, 16 May 2009 12:03:18 -0400 Received: from manicmethod.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id n4GG3AnA026734 for ; Sat, 16 May 2009 16:03:15 GMT Message-ID: <4A0EE3AE.7020509@manicmethod.com> Date: Sat, 16 May 2009 12:02:54 -0400 From: Joshua Brindle MIME-Version: 1.0 To: hechao55429 CC: selinux Subject: Re: write selinux policy References: <17697801.901261242485650930.JavaMail.coremail@bj126app52.126.com> In-Reply-To: <17697801.901261242485650930.JavaMail.coremail@bj126app52.126.com> Content-Type: text/plain; charset=x-gbk; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov hechao55429 wrote: > hello everyone: > I'm now studying selinux policy on fedora 10 . I wrote a policy > module like this: > myapp.if > ## this si to constraint gedit > myapp.te > policy_module(myapp,1.0.0) > type myapp_t; > # Access to shared libraries > libs_use_ld_so(myapp_t) > libs_use_shared_libs(myapp_t) > miscfiles_read_localization(myapp_t) > type myapp_exec_t; > type myapp_rw_t; > files_type(myapp_exec_t) > files_type(myapp_rw_t) > init_domain(myapp_t,myapp_exec_t) > allow myapp_t myapp_rw_t :file ~{write}; > myapp.fc > /usr/bin/gedit -- gen_context(system_u:object_r:myapp_exec_t,s0) > /root/share/a/as -- gen_context(system_u:object_r:myapp_rw_t,s0) > Then i compiled it and it created myapp.pp with no error. > And then i used the command that semodule -i myapp.pp and it succeeded > Then i relabeled the files by using the restorecon command and reboot . > But after it reboot ,the /usr/bin/gedit still ran on the unconfined_t > domain. > why? you didn't specify a type transition from unconfined, you can do this in your module using the unconfined_run_to() interface. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.