| 1 |
Hi! |
| 2 |
|
| 3 |
> any daemon that starts out of the initrc_t must domain_auto_trans to a new |
| 4 |
> domain. |
| 5 |
> you might want to use the daemon_domain macro to accomplish that. |
| 6 |
|
| 7 |
Jep, that was the right way...I hope :) |
| 8 |
|
| 9 |
> it has to be rewritten. |
| 10 |
|
| 11 |
Done. |
| 12 |
|
| 13 |
|
| 14 |
So here are the new one. I hope it's now "secure" ;-) |
| 15 |
|
| 16 |
|
| 17 |
domains/program/ezipupdate.te |
| 18 |
# ez-ipupdate |
| 19 |
|
| 20 |
type ezipupdate_etc_t, file_type; |
| 21 |
|
| 22 |
daemon_domain(ezipupdate) |
| 23 |
|
| 24 |
allow ezipupdate_t self:capability { dac_override dac_read_search setgid setuid }; |
| 25 |
allow ezipupdate_t ezipupdate_etc_t:file { getattr read }; |
| 26 |
allow ezipupdate_t etc_t:file { getattr read }; |
| 27 |
|
| 28 |
allow ezipupdate_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; |
| 29 |
|
| 30 |
can_network(ezipupdate_t) |
| 31 |
|
| 32 |
|
| 33 |
file_context/program/ezipupdate.fc |
| 34 |
# ez-ipupdate |
| 35 |
/usr/bin/ez-ipupdate -- system_u:object_r:ezipupdate_exec_t |
| 36 |
/etc/ez-ipupdate\.conf -- system_u:object_r:ezipupdate_etc_t |
| 37 |
/var/run/ez-ipupdate\.pid -- system_u:object_r:ezipupdate_var_run_t |
| 38 |
|
| 39 |
|
| 40 |
Any suggestions, would you change anything or is it now ok? |
| 41 |
|
| 42 |
|
| 43 |
ciao, Stefan |
Archives