Thanks, Bill. I got it now. Tai
From: William Roberts <[email protected]<mailto:[email protected]>> Date: Monday, October 7, 2013 3:18 PM To: Tai Nguyen <[email protected]<mailto:[email protected]>> Cc: Stephen Smalley <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Rules to access /proc/pid/cmdline On Mon, Oct 7, 2013 at 3:13 PM, Tai Nguyen (tainguye) <[email protected]<mailto:[email protected]>> wrote: This will work, but this will give the server access to all files and dir on the system, right? So, it will give the server more privilege that needed. We just want to give the server access to the /proc/<pid>/cmdline file and not other files. On 10/7/13 3:01 PM, "Stephen Smalley" <[email protected]<mailto:[email protected]>> wrote: >With regard to allowing it, you can allow it to read /proc/pid/cmdline >for all domains by writing allow rules with the domain attribute, e.g. > allow server domain:dir r_dir_perms; > allow server domain:{ file lnk_file } r_file_perms; >Or more succintly using the r_dir_file() macro as: > r_dir_file(server, domain) > >If you want to allow it for just app domains, you can write similar >rules using the appdomain attribute rather than domain, e.g. > r_dir_file(server, appdomain) > -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected]<mailto:[email protected]> with the words "unsubscribe seandroid-list" without quotes as the message. Not all files, just ones that share the domain attribute which are really only files tied to a running process. So it will give access to most things under proc, but not to system_data_file. Does this clear it up? If not look at the denials you see allow X Y:file r_file_perms; Notice Y will be system or untrusted_app Those types have the attribute domain. Other types, like app_data_file or system_data_file do not share that attribute. Bill
