[refpolicy] Critique requested
Martin Orr
martin at martinorr.name
Tue Jul 28 05:12:02 CDT 2009
On 27/07/09 17:13, Hal Pomeranz wrote:
> Thanks to Dominick for critiquing my initial attempts at using
> the Reference Policy. I'm still curious about the answer to the
> following question, if anybody on the list has some insights:
>
>>> Also a question, if I may. I originally compiled portsentry from
>>> source as a standard dynamically-linked executable. However, when I
>>> started this binary under SELinux control I kept getting denials on
>>> the shared library "lib_t" files and directories as well as on various
>>> "ld_so*_t" files. Recompiling as a statically-linked executable made
>>> this problem go away (obviously), but what's the magic to get a
>>> standard dynamically-linked executable to not generate these errors?
>>> I've looked at the sample files in the refpolicy source and haven't
>>> been able to figure out the trick.
This permission is given by:
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
in kernel/domain.te.
Any type declared with domain_type will get these permissions.
If you still see denials for these after using domain_type, then maybe you
are using an old policy: this was added to the policy in October 2008.
--
Martin Orr
More information about the refpolicy
mailing list