[Libguestfs] selinux question and answer
Eric Paris
eparis at redhat.com
Thu Aug 13 13:53:47 UTC 2009
On Thu, 2009-08-13 at 10:22 +0100, Matthew Booth wrote:
> On 12/08/09 20:04, Richard W.M. Jones wrote:
> > On Wed, Aug 12, 2009 at 02:41:16PM -0400, Daniel J Walsh wrote:
> >> F11, F12, F..., RHEL6 ...
> >> setcon("unconfined_u:unconfined_r:unconfined_t:s0")
> >>
> >> RHEL5
> >> setcon("user_u:system_r:unconfined_t:s0")
> >>
> >> Would be valid, then you do not need to worry about executing a shell.
> >
> > Matt maybe we want this patch after all?
> >
>
> Ok. We have a use case (/etc/mtab) which would be broken without this.
> I'd go ahead and add it.
>
> I'm inclined to try setcon to an ordered list of targets, stopping when
> one works. So far, I think we've got:
>
> 1. unconfined_u:unconfined_r:unconfined_t:s0
> 2. user_u:system_r:unconfined_t:s0
3. sysadm_u:sysadm_r:sysadm_t:s0
> 4. system_u:object_r:unconfined_t:s0
5. system_u:object_r:sysadm_t:s0
> sysadm_t was mentioned on our call yesterday as being the root login
> domain for an MLS policy. What's a good set for MLS?
More information about the Libguestfs
mailing list