How to make SELinux file context permanent?
Leszek Matok
Lam at Lam.pl
Tue Apr 4 01:03:26 UTC 2006
Dnia 03-04-2006, pon o godzinie 19:52 -0400, Ivan Gyurdiev napisał(a):
> Creating a policy module should not be necessary - you can use the
> semanage command with the fcontext option to add file context
> specification to the local config. However, adding a workaround is *not*
> the correct solution.
Please explain. Why is binding the context to the packaged file a
workaround, while maintaining one big list of all files that people
possibly could put on their systems (year, right, dream on) is a
solution?
Also, in this situation, why isn't there one big list of e. g. writable
files allowed for any system, and especially, one big list of set-uid
programs allowed for any system?
For me it's natural that a file context is bound to the file and should
be transported with it/stay sticked to it. semanage is already somewhat
portable (I can check for its presence, I can check for particular
type/role I'm interested in - my RPM package can still be installed on
any system, regardless of SELinux presence, policies and so on), and
remember it doesn't really need to if I know what system I'm building
for (and this is Fedora Extras, not a "Build a completely cross-distro
RPM packages-HowTo").
The existence of policy modules also suggest that "one big policy for
everyone" is not a goal of SELinux, or at least suggests to me.
Lam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: To jest cz??? listu podpisana cyfrowo
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20060404/ec49780d/attachment.sig>
More information about the fedora-extras-list
mailing list