[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] selinux question and answer



On 08/13/2009 09:53 AM, Eric Paris wrote:
> On Thu, 2009-08-13 at 10:22 +0100, Matthew Booth wrote:
>> On 12/08/09 20:04, Richard W.M. Jones wrote:
>>> On Wed, Aug 12, 2009 at 02:41:16PM -0400, Daniel J Walsh wrote:
>>>> F11, F12, F..., RHEL6 ...
>>>> setcon("unconfined_u:unconfined_r:unconfined_t:s0")
>>>>
>>>> RHEL5
>>>> setcon("user_u:system_r:unconfined_t:s0")
>>>>
>>>> Would be valid, then you do not need to worry about executing a shell.
>>>
>>> Matt maybe we want this patch after all?
>>>
>>
>> Ok. We have a use case (/etc/mtab) which would be broken without this. 
>> I'd go ahead and add it.
>>
>> I'm inclined to try setcon to an ordered list of targets, stopping when 
>> one works. So far, I think we've got:
>>
>> 1. unconfined_u:unconfined_r:unconfined_t:s0
>> 2. user_u:system_r:unconfined_t:s0
> 
> 3. sysadm_u:sysadm_r:sysadm_t:s0
> 
>> 4. system_u:object_r:unconfined_t:s0
> 
> 5. system_u:object_r:sysadm_t:s0
> 
>> sysadm_t was mentioned on our call yesterday as being the root login 
>> domain for an MLS policy. What's a good set for MLS?
> 
> 
> 
Change all of the s0 with

chroot semanage login -l | awk '/root/ { print $3 }' 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]