Where is fixfiles.cron?
Yuichi Nakamura
himainu-ynakam at miomio.jp
Tue Nov 16 19:43:32 UTC 2004
Daniel J Walsh wrote:
> fixfiles.cron causes more problems than it solves. It made little sense
> in targeted policy.
<snip>
I understand.
But fixfiles.cron will be useful for users who understands SELinux well.
I hope the script is included in somewhere.
> fixfiles will report these as errors. So until someone comes up
> with a better way to handle these situations I thought it better to not
> install it any longer.
Integrity of labeling is critical for SELinux, it should be solved.
I think there are two choice, one is to modify policy and
the other is to modify fixfiles.
- Changing policy:
For example, if we do not want label of key file to be never changed by setfiles,
declare type "key_t" with attribute, like
type key_t, dontchange;
And make setfiles(or fixfiles) run as setfiles_t.
setfiles_t are configured to be unable to modify label for neverchange attribute.
- Changing fixfiles:
There is exclude list in fixfiles.cron.
For example the content of the list is "httpd_user_script_rw_t" and "gpgkey_t".
fixfiles skips files that have label in exclude list.
Changing policy is more "MAC" but will take more time to modify and side effect will be bigger.
---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/
More information about the fedora-selinux-list
mailing list