1 |
Hi! |
2 |
|
3 |
> any daemon that starts out of the initrc_t must domain_auto_trans to a new |
4 |
> domain. |
5 |
> you might want to use the daemon_domain macro to accomplish that. |
6 |
|
7 |
Jep, that was the right way...I hope :) |
8 |
|
9 |
> it has to be rewritten. |
10 |
|
11 |
Done. |
12 |
|
13 |
|
14 |
So here are the new one. I hope it's now "secure" ;-) |
15 |
|
16 |
|
17 |
domains/program/ezipupdate.te |
18 |
# ez-ipupdate |
19 |
|
20 |
type ezipupdate_etc_t, file_type; |
21 |
|
22 |
daemon_domain(ezipupdate) |
23 |
|
24 |
allow ezipupdate_t self:capability { dac_override dac_read_search setgid setuid }; |
25 |
allow ezipupdate_t ezipupdate_etc_t:file { getattr read }; |
26 |
allow ezipupdate_t etc_t:file { getattr read }; |
27 |
|
28 |
allow ezipupdate_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; |
29 |
|
30 |
can_network(ezipupdate_t) |
31 |
|
32 |
|
33 |
file_context/program/ezipupdate.fc |
34 |
# ez-ipupdate |
35 |
/usr/bin/ez-ipupdate -- system_u:object_r:ezipupdate_exec_t |
36 |
/etc/ez-ipupdate\.conf -- system_u:object_r:ezipupdate_etc_t |
37 |
/var/run/ez-ipupdate\.pid -- system_u:object_r:ezipupdate_var_run_t |
38 |
|
39 |
|
40 |
Any suggestions, would you change anything or is it now ok? |
41 |
|
42 |
|
43 |
ciao, Stefan |