Dnia 03-04-2006, pon o godzinie 19:52 -0400, Ivan Gyurdiev napisał(a): > Creating a policy module should not be necessary - you can use the > semanage command with the fcontext option to add file context > specification to the local config. However, adding a workaround is *not* > the correct solution. Please explain. Why is binding the context to the packaged file a workaround, while maintaining one big list of all files that people possibly could put on their systems (year, right, dream on) is a solution? Also, in this situation, why isn't there one big list of e. g. writable files allowed for any system, and especially, one big list of set-uid programs allowed for any system? For me it's natural that a file context is bound to the file and should be transported with it/stay sticked to it. semanage is already somewhat portable (I can check for its presence, I can check for particular type/role I'm interested in - my RPM package can still be installed on any system, regardless of SELinux presence, policies and so on), and remember it doesn't really need to if I know what system I'm building for (and this is Fedora Extras, not a "Build a completely cross-distro RPM packages-HowTo"). The existence of policy modules also suggest that "one big policy for everyone" is not a goal of SELinux, or at least suggests to me. Lam
Attachment:
signature.asc
Description: To jest część listu podpisana cyfrowo