[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] selinux question and answer



On 13/08/09 10:31, Richard W.M. Jones wrote:
Ok. We have a use case (/etc/mtab) which would be broken without this.
I'd go ahead and add it.

I'm inclined to try setcon to an ordered list of targets, stopping when
one works. So far, I think we've got:

1. unconfined_u:unconfined_r:unconfined_t:s0
2. user_u:system_r:unconfined_t:s0
3. system_u:object_r:unconfined_t:s0

sysadm_t was mentioned on our call yesterday as being the root login
domain for an MLS policy. What's a good set for MLS?

I'm not even sure what "MLS" is.

Anyway, isn't there a way to get this from the /etc/selinux
configuration of the guest?  For example on a Fedora 10 machine I see:

$ cat /etc/selinux/targeted/contexts/default_type
auditadm_r:auditadm_t
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t

$ cat /etc/selinux/targeted/contexts/default_contexts
system_r:crond_t:s0        system_r:system_crond_t:s0
system_r:local_login_t:s0  user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0         user_r:user_t:s0
system_r:sulogin_t:s0      sysadm_r:sysadm_t:s0
system_r:xdm_t:s0          user_r:user_t:s0

I just looked at the contents of these files for the minimum and mls policies on F11, and they're all (nearly) identical. I'm not sure we can use these to distinguish.

Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat Engineering, Virtualisation Team

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]