From: rfkrocktk@gmail.com (Naftuli Kay)
Date: Mon, 21 Nov 2016 09:32:40 -0800
Subject: [refpolicy] how to inherit unconfined_service_t
In-Reply-To: <4c6f0295-11e3-1220-f319-98ca679487f6@gmail.com>
References: <4c6f0295-11e3-1220-f319-98ca679487f6@gmail.com>
Message-ID: <CAPTk+sYPmTieAD82LC7-otdYS5fzxGSFnqg3+5YHDcjHT72NRw@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

IIRC unconfined_service_t is a special exception to the general rule.
Macros have been used in the reference policy to grant every possible
privilege to this type. There may be an attribute that you can use
which accomplishes the same thing. Please dig around and find out what
attributes that unconfined_service_t has associated with it.

Thanks,
 - Naftuli Kay


On Mon, Nov 21, 2016 at 9:23 AM, mm via refpolicy
<refpolicy@oss.tresys.com> wrote:
> Hi all,
>
> I would need to define a domain bar_t which should inherit all access
> rights of unconfined_service_t.
> I know I can use unconfined_domain() to inherit the rules of unconfined_t.
> The fact is that (at least on Fedora 24) service processes appear to run
> by default as unconfined_service_t.
> my process /sbin/bar (which is not selinux aware) runs fine with this
> default context, but I would need to define its own domain bar_t.
> Hence the question of how to inherit the rules of unconfined_service_t.
>
> Thanks in advance,
> M. Manfredini
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy