Using domain can restrict access to system_data_file, but it still give access to processes' private files. Is there a way to tag an attribute to all /proc files that I can use instead of domain?
Thanks, Tai On 10/7/13 3:17 PM, "Stephen Smalley" <[email protected]> wrote: >The domain attribute only expands to the set of domain types, i.e. types >that are assigned to processes. And the only files that are labeled >with domains are the /proc/pid files for those domains. So allow X >domain:file r_file_perms; only allows it to read the /proc/pid files, >not other files on the system. > >Also, certain /proc/pid files are further restricted by a ptrace check. > >Finally, you can limit it to only being able to read the /proc/pid files >of specific domains by assigning a new type attribute to all of the >client domains and then using that attribute in your allow rule instead >of using "domain". > -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
