Great explanation - My understanding of 'domain' is wrong. Thanks, Tai
On 10/7/13 3:17 PM, "Stephen Smalley" <[email protected]> wrote: >On 10/07/2013 03:13 PM, Tai Nguyen (tainguye) wrote: >> This will work, but this will give the server access to all files and >>dir >> on the system, right? So, it will give the server more privilege that >> needed. We just want to give the server access to the >>/proc/<pid>/cmdline >> file and not other files. > >The domain attribute only expands to the set of domain types, i.e. types >that are assigned to processes. And the only files that are labeled >with domains are the /proc/pid files for those domains. So allow X >domain:file r_file_perms; only allows it to read the /proc/pid files, >not other files on the system. > >Also, certain /proc/pid files are further restricted by a ptrace check. > >Finally, you can limit it to only being able to read the /proc/pid files >of specific domains by assigning a new type attribute to all of the >client domains and then using that attribute in your allow rule instead >of using "domain". > >> >> On 10/7/13 3:01 PM, "Stephen Smalley" <[email protected]> wrote: >> >>> With regard to allowing it, you can allow it to read /proc/pid/cmdline >>> for all domains by writing allow rules with the domain attribute, e.g. >>> allow server domain:dir r_dir_perms; >>> allow server domain:{ file lnk_file } r_file_perms; >>> Or more succintly using the r_dir_file() macro as: >>> r_dir_file(server, domain) >>> >>> If you want to allow it for just app domains, you can write similar >>> rules using the appdomain attribute rather than domain, e.g. >>> r_dir_file(server, appdomain) >>> >> >> >> >> -- >> This message was distributed to subscribers of the seandroid-list >>mailing list. >> If you no longer wish to subscribe, send mail to >>[email protected] with >> the words "unsubscribe seandroid-list" without quotes as the message. >> >> > -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
