From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 03 Dec 2008 08:15:07 -0500 Subject: [refpolicy] bin_t In-Reply-To: References: Message-ID: <1228310110.9691.385.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2008-12-02 at 23:53 +0100, Konrad Azzopardi wrote: > If I am now confining SAMHAIN integrity checker with all features > switched on. The daemon, is spawning a "ps" , and Checking for > hidden/fake/missing processes. The module works by searching the > complete range of possible PIDs for processes, and comparing the list > of processes thus found against the output of ps. > Of course if i do not make a domain transition to bin_t everything > failing but is it bin_t too wide ? What would be the best way to go > around this, since ps is bin_t just like all the other binaries ? > Sorry I am still relatively new so this may be trivial but I guess > bin_t is allowed to do a lot of things. bin_t isn't a domain (process) type, it is a file type. You can't transition a process to a file type. It sounds like these two rules would would be sufficient: corecmd_exec_bin() domain_read_all_domains_state() you might also need: domain_getattr_all_domains() -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150