I see. In that case I am not going to push this topic much further. Thanks for your assistance!<br><br>But wouldn&#39;t it be nice to have an allow mechanism in SELinux in which I could grant access based on it&#39;s existing access. What I want to achieve is to be able to add a rule like &quot;If process can read etc_t, then it can also read etc_foo_t&quot;
<br><br>That would allow me to change context of individual files, and grant access to them by process who already have etc_t, and I wouldn&#39;t have to redefine almost the entire selinux context tree just to target a few individual files in /etc for my app.
<br><br>T.<br><br><div><span class="gmail_quote">On 9/18/07, <b class="gmail_sendername">Daniel J Walsh</b> &lt;<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>Torbjørn Lindahl wrote:<br>&gt; Good point.<br>&gt; I probably can live with that.<br>&gt;<br>&gt; Still I am not sure if I would like it to have full access to all files
<br>&gt; labelled etc_t . It would be nice to be able to single out only a few of<br>&gt; them. Perhaps I should look at something other than the targeted policy.<br>&gt;<br>&gt; On 9/17/07, Daniel J Walsh &lt;<a href="mailto:dwalsh@redhat.com">
dwalsh@redhat.com</a>&gt; wrote:<br>&gt; Torbjørn Lindahl wrote:<br>&gt;&gt;&gt;&gt; Hello, I am writing an application that I want to limit using selinux.<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; audit.log shows that it wants access to /etc/nsswitch.conf and
<br>&gt; /etc/hosts -<br>&gt;&gt;&gt;&gt; which doesn&#39;t seem to unreasonable, however both these have types etc_t<br>&gt; ,<br>&gt;&gt;&gt;&gt; and allowing myapp_t to read etc_t would also give it access to for<br>&gt; example
<br>&gt;&gt;&gt;&gt; /etc/passwd, which i do not want.<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; Do I have to invent a new type for these two files to be able to keep my<br>&gt;&gt;&gt;&gt; application from the other etc_t files in /etc ?
<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; ------------------------------------------------------------------------<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; --
<br>&gt;&gt;&gt;&gt; fedora-selinux-list mailing list<br>&gt;&gt;&gt;&gt; <a href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a><br>&gt;&gt;&gt;&gt; <a href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list">
https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a><br>&gt; Yes you can, but the more different file_context that you have in /etc,<br>&gt; the harder they will be to maintain.<br>&gt;<br>&gt; Reading /etc/passwd is not as dangerous as being able to read
<br>&gt; /etc/shadow.&nbsp;&nbsp;So consider if this is really necessary.<br>&gt;&gt;<br><br>&gt; ------------------------------------------------------------------------<br><br>&gt; --<br>&gt; fedora-selinux-list mailing list<br>&gt; 
<a href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a><br>&gt; <a href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list">https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a>
<br>All of the current policies including mls allow reading of etc_t for<br>most domains, and /etc/passwd is labeled etc_t.<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.7 (GNU/Linux)<br>Comment: Using GnuPG with Fedora - 
<a href="http://enigmail.mozdev.org">http://enigmail.mozdev.org</a><br><br>iD8DBQFG8AFbrlYvE4MpobMRAtxMAKCXrwFqgATmTBQoNip52wmaHXFowQCgj0Ld<br>Jz2zh2M8ID/nkU4Rgod4UVw=<br>=8+JV<br>-----END PGP SIGNATURE-----<br></blockquote>
</div><br><br clear="all"><br>-- <br>mvh<br>Torbjørn Lindahl