mirror of
https://github.com/shadowsocks/shadowsocks-rust.git
synced 2026-02-09 01:59:16 +08:00
5d491bc2c1
This policy provides several security improvements over running shadowsocks as `unconfined_service_t`: - **Principle of least privilege**: Only grants necessary permissions - **Network isolation**: Controls which ports and connections are allowed - **File system protection**: Restricts file access to configuration and required system files - **Process isolation**: Runs in a dedicated SELinux domain - **Audit trail**: All access attempts are logged for security monitoring
4 lines
299 B
Plaintext
4 lines
299 B
Plaintext
/usr/bin/ssservice -- gen_context(system_u:object_r:shadowsocks_exec_t,s0)
|
|
/etc/shadowsocks(/.*)? -- gen_context(system_u:object_r:shadowsocks_conf_t,s0)
|
|
/usr/lib/systemd/system/ss-server@.*\.service -- gen_context(system_u:object_r:shadowsocks_unit_file_t,s0)
|