incrontab_t (hopefully) complete, let's look at the
domain. As this domain will also be used to execute the user (and
system) commands provided through the incrontabs, we need to consider
how we are going to deal with this wide range of possible permissions
that it might take. One …
So I've shown the iterative approach used to develop policies. Again, please be aware that this is my way of developing policies, other policy developers might have a different approach. We were working on the incrontab command, so let's continue with trying to create a new user incrontab:
$ incrontab -e …
If you notice that a process is running in the
unlabeled_t domain, the
first question to ask is how it got there.
Well, one way is to have a process running in a known domain, like
screen_t, after which the SELinux policy module that provides this
domain is removed from …
For internal communication between guests on my workstation, I use IPv6 which is set up using the Router Advertisement "feature" of IPv6. The tools I use are dnsmasq for DNS/DHCP and router advertisement support, and dhcpcd as client. It might be a total mess (grew almost organically until it …more ...
While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities are triggered without …more ...