Will wrote: > I have this executable `foo`, with the path '/usr/lib/foo/foo' and I > wanted to be able to reuse the domain policy when it is launched via a > symlink: > > /usr/bin/foo --> /usr/lib/foo/foo > > Is there any way to force /usr/bin/foo, or more generally, all symlinks > pointing to '/usr/lib/foo/foo', to the domain: <kernel> > `/usr/lib/foo/foo`? > > Thanks.
You can add aggregator /usr/bin/foo /usr/lib/foo/foo initialize_domain /usr/lib/foo/foo from any to the exception policy. Since it is pointless to follow symlinks unconditionally (e.g. all programs provided by busybox via symlink run in the busybox domain), only pathnames which are explicitly specified via aggregator are remapped. An example is shown as aggregator lines in http://tomoyo.osdn.jp/cgi-bin/lxr/source/centos5.5/exception_policy.conf?v=policy-sample . _______________________________________________ tomoyo-users-en mailing list tomoyo-users-en@lists.osdn.me http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
