Hi SELinux experts,

Thanks a lot for taking a look at my question, how could I implement the bash "if-then-else" and "test" grammar in current refpolicy interface? For example, if I don't want the user_t to have the privilege to execute any kind of shell, what proper grammar should I use to implement something with the same logic as 'if ! test "X$1" = "Xuser_t"' in the corecomd_exec_shell interface:

interface(`corecmd_exec_shell',`
        gen_require(`
                type bin_t, shell_exec_t;
        ')

if ! test "X$1" = "Xuser_t"; then
        list_dirs_pattern($1, bin_t, bin_t)
        read_lnk_files_pattern($1, bin_t, bin_t)
        can_exec($1, shell_exec_t)
fi
')

Thank you very much!

Best regards,
Harry
 		 	   		  
_________________________________________________________________
想知道明天天气如何？必应告诉你！
http://cn.bing.com/search?q=%E5%A4%A9%E6%B0%94%E9%A2%84%E6%8A%A5&form=MICHJ2