[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] selinux question and answer



On Thu, Aug 13, 2009 at 10:22:03AM +0100, Matthew Booth wrote:
> On 12/08/09 20:04, Richard W.M. Jones wrote:
> >On Wed, Aug 12, 2009 at 02:41:16PM -0400, Daniel J Walsh wrote:
> >>F11, F12, F..., RHEL6 ...
> >>setcon("unconfined_u:unconfined_r:unconfined_t:s0")
> >>
> >>RHEL5
> >>setcon("user_u:system_r:unconfined_t:s0")
> >>
> >>Would be valid, then you do not need to worry about executing a shell.
> >
> >Matt maybe we want this patch after all?
> >
> 
> Ok. We have a use case (/etc/mtab) which would be broken without this. 
> I'd go ahead and add it.
> 
> I'm inclined to try setcon to an ordered list of targets, stopping when 
> one works. So far, I think we've got:
> 
> 1. unconfined_u:unconfined_r:unconfined_t:s0
> 2. user_u:system_r:unconfined_t:s0
> 3. system_u:object_r:unconfined_t:s0
> 
> sysadm_t was mentioned on our call yesterday as being the root login 
> domain for an MLS policy. What's a good set for MLS?

Could you discover the neccessary/supported targets from the semanage, 

eg

# semanage user -l 

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r
system_u        user       s0         SystemLow-SystemHigh           system_r
user_u          user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r


Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]