From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 29 Oct 2008 08:37:52 -0400
Subject: [refpolicy] Help with policy writing
In-Reply-To: <af1a12460810261143t340d51bwad304430a5607451@mail.gmail.com>
References: <af1a12460810261143t340d51bwad304430a5607451@mail.gmail.com>
Message-ID: <49085920.30501@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


/usr/local/sbin/samhain --
gen_context(system_u:object_r:samhain_exec_t,s0)

DAN> I would make this more generic maybe make the local optional

/usr/(local/)?sbin/samhain --
gen_context(system_u:object_r:samhain_exec_t,s0)


/etc/samhainrc  --      gen_context(system_u:object_r:samhain_config_t,s0)


/var/run/samhain.pid    --
gen_context(system_u:object_r:samhain_pid_t,s0)
/var/run/samhain_log.lock
gen_context(system_u:object_r:samhain_lock_t,s0)

I think these should be treated the same and labeled samhain_var_run_t

Unless there are different security properties between the pid file and
the lock file, no reason to label them differently.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkIWR8ACgkQrlYvE4MpobP0OQCeNtwQ9LuZ8IpLMFerpJH9HjAq
V2gAoJOT3Gu+ZPLvkBaEWyMYoJ96O8uo
=zb5o
-----END PGP SIGNATURE-----