incrontab_t (hopefully) complete, let's look at the
domain. As this domain will also be used to execute the user (and
system) commands provided through the incrontabs, we need to consider
how we are going to deal with this wide range of possible permissions
that it might take. One …
So I've shown the iterative approach used to develop policies. Again, please be aware that this is my way of developing policies, other policy developers might have a different approach. We were working on the incrontab command, so let's continue with trying to create a new user incrontab:
$ incrontab -e …
If you notice that a process is running in the
unlabeled_t domain, the
first question to ask is how it got there.
Well, one way is to have a process running in a known domain, like
screen_t, after which the SELinux policy module that provides this
domain is removed from …
While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities are triggered without …more ...
To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or …more ...