From: dominick.grift@gmail.com (Dominick Grift)
Date: Tue, 26 Jun 2012 23:10:30 +0200
Subject: [refpolicy] [PATCH v3 1/3] Support read/append/manage functions
for various httpd content
In-Reply-To: <20120626203841.GA19892@siphos.be>
References: <20120624110736.GA995@siphos.be>
<20120624110826.GB995@siphos.be> <4FE9B7AD.6010707@tresys.com>
<1340719037.12652.6.camel@x220.mydomain.internal>
<4FE9C15D.6050405@tresys.com> <20120626203841.GA19892@siphos.be>
Message-ID: <1340745030.12652.15.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Tue, 2012-06-26 at 22:38 +0200, Sven Vermeulen wrote:
>
> And while I'm on it, what is the difference between a spec_domtrans and a
> regular one? Is that only that the transition doesn't occur automatically
> (i.e. the application has to be SELinux-aware to use it)?
A spec domtrans allows you to specify a target domain.
A normal domtrans takes a single parameter (source) domain.
A spec domtrans takes two parameters (source domain) target domain.
Example:
a myapp_domtrans:
########################################
##
## Execute a domain transition to run myapp.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`myapp_domtrans',`
gen_require(`
type myapp_t, myapp_exec_t;
')
domtrans_pattern($1, myapp_exec_t, myapp_t)
')
A myapp_spec_domtrans:
########################################
##
## Execute myapp executable files
## in the specified domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
interface(`myapp_spec_domtrans',`
gen_require(`
type myapp_exec_t;
')
domtrans_pattern($1, myapp_exec_t, $2)
')
As far as i know it has no relationship whatsoever with setexeccon use
other than that it could be used together.
The spec refers to "domain transition from and to a specified domain"
my $0.02
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy