On 02/12/13 07:57 AM, Danek Duvall wrote:
{file_dac_write}:/system/volatile,{file_dac_write}:/system/volatile/*
Right, but file_dac_write is the wrong privilege. I was trying this for a
service a while back, and Casper pointed me to the "zone" privilege (which
is like the "all" privilege, but DTRT in zones), and that *that* can take a
path limiting it as well. There are a few examples in privileges(5), but
it's not clear from any of it that this is what you want to do here.
At any rate, give it a shot, see if it does what you want.
Aha! {zone} wasn't really documented in privileges(5) and I mistook your
use of "zone" as being some sort of privilege-related terminology I
hadn't heard of, rather than the name of an actual privilege, sorry.
So yes, this does appear work - I'll file a bug to further refine the
privileges we use, which now gets to be:
basic,{zone}:/system/volatile,priv_netaddr
(And apologies, I meant "extended policy" instead of "mwac" in my original
message.)
No worries :-)
cheers,
tim
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
