From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 19 May 2010 13:45:01 -0400 Subject: [refpolicy] Howto enable or disable clipboard with selinux? In-Reply-To: References: Message-ID: <1274291101.2093.271.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-05-19 at 20:33 +0500, Shaz wrote: > On Sat, May 15, 2010 at 10:50 PM, Shaz wrote: > > Dear list, > > > > I want to enable or disable the clipboard with booleans. Is there any > > available policy that can do this? If not please indicate the relevant place > > to start with. > > There was a flaw in this question that someone on selinux irc > explained to me. We need to control an application's access to > booleans. But I am still not sure how much and what effort it > requires? Pointer to tutorials or some guidance will be appreciated. If you want to allow changing Booleans on a coarse level (all or nothing), you just need to allow the setbool permission. The selinux_set_generic_booleans() or selinux_set_all_booleans() interfaces should be sufficient for this. If you want to be fine grained, you can label the selinuxfs entry for the boolean using the selinux_labeled_boolean() interface. For example if you wanted to label the "disable_clipboard" boolean: type my_boolean_t; selinux_labeled_boolean(my_boolean_t, disable_clipboard) Then you would need to allow rw permissions on the my_boolean_t file, in addition to the setbool permission. The caveat on this is that the selinux_labeled_boolean() call and type declaration must be in the base module, if you use a modular policy. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com