-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patch
Remove TODO, If we have not done it yet we should forgetabout it
Needs to run as an xserver_unconfined
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjaqP8ACgkQrlYvE4MpobNusQCdErcC5u3/Hu49J8DdHB8dcyYP
OhgAnidl5D06pFkqUWGox1h2Yuuzn6GA
=srgX
-----END PGP SIGNATURE-----
On Thursday 25 September 2008 06:54, Daniel J Walsh <[email protected]> wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patch
>
> Remove TODO, If we have not done it yet we should forgetabout it
>
> Needs to run as an xserver_unconfined
What is the point of having a firstboot_t? Why not just make it a typealias
for unconfined_t?
--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
Russell Coker wrote:
> On Thursday 25 September 2008 06:54, Daniel J Walsh <[email protected]> wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patch
>>
>> Remove TODO, If we have not done it yet we should forgetabout it
>>
>> Needs to run as an xserver_unconfined
>
> What is the point of having a firstboot_t? Why not just make it a typealias
> for unconfined_t?
>
Probably not, although there may be some transitions for firstboot_t
which are not there for unconfined_t. Both are unconfined domains.
On Friday 26 September 2008 06:12, Daniel J Walsh <[email protected]> wrote:
> Russell Coker wrote:
> > On Thursday 25 September 2008 06:54, Daniel J Walsh <[email protected]>
wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patc
> >>h
> >>
> >> Remove TODO, If we have not done it yet we should forgetabout it
> >>
> >> Needs to run as an xserver_unconfined
> >
> > What is the point of having a firstboot_t? Why not just make it a
> > typealias for unconfined_t?
>
> Probably not, although there may be some transitions for firstboot_t
> which are not there for unconfined_t. Both are unconfined domains.
Why would you want such a transition?
firstboot is used to configure firewalls and things, being able to configure
them as unconfined_t is desirable and probably necessary.
>From a high-level concept I can't imagine why you would want firstboot_t
having any transition that unconfined_t lacks.
In terms of reducing policy size (and therefore memory use and disk space),
removing needless unconfined domains is the best thing to do.
A recent change that I've made is removing unconfined_crond_t and making
unconfined cron jobs run as unconfined_t.
I'm also wondering whether any of the $1_crond_t domains actually do any good.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Russell Coker wrote:
> On Friday 26 September 2008 06:12, Daniel J Walsh <[email protected]> wrote:
>> Russell Coker wrote:
>>> On Thursday 25 September 2008 06:54, Daniel J Walsh <[email protected]>
> wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patc
>>>> h
>>>>
>>>> Remove TODO, If we have not done it yet we should forgetabout it
>>>>
>>>> Needs to run as an xserver_unconfined
>>> What is the point of having a firstboot_t? Why not just make it a
>>> typealias for unconfined_t?
>> Probably not, although there may be some transitions for firstboot_t
>> which are not there for unconfined_t. Both are unconfined domains.
>
> Why would you want such a transition?
>
Well we also have the problem of machines without the unconfined domain.
(MLS, Strict). So I am not sure how to fix those. As I have stated
before I think removing the unconfined domain is a mistake, I would much
rather be able to take the unconfined_domain privs away from initrc_t
and other unconfined domains and leave unconfined_t even for MLS
machines, when running as full administrator. Tools like rpm and dpkg,
firstboot are almost always going to need to be unconfined. file_trans
is what I was talking about. Making sure files created in /etc have the
right context. We can experiment with removing firstboot policy after
F10 is released, to make sure it does not cause any problems.
> firstboot is used to configure firewalls and things, being able to configure
> them as unconfined_t is desirable and probably necessary.
>
> From a high-level concept I can't imagine why you would want firstboot_t
> having any transition that unconfined_t lacks.
>
> In terms of reducing policy size (and therefore memory use and disk space),
> removing needless unconfined domains is the best thing to do.
>
> A recent change that I've made is removing unconfined_crond_t and making
> unconfined cron jobs run as unconfined_t.
>
> I'm also wondering whether any of the $1_crond_t domains actually do any good.
>
Fedora does not use $1_crond_t any longer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjc26oACgkQrlYvE4MpobPALQCggiaj+TVbCDBcXx35WtzI25l+
BP8AoKS20L3NUo8zuOWZMA+558IcrY9+
=Ni/E
-----END PGP SIGNATURE-----
On Friday 26 September 2008 22:55, Daniel J Walsh <[email protected]> wrote:
> >> Probably not, although there may be some transitions for firstboot_t
> >> which are not there for unconfined_t. Both are unconfined domains.
> >
> > Why would you want such a transition?
>
> Well we also have the problem of machines without the unconfined domain.
> (MLS, Strict). So I am not sure how to fix those. As I have stated
Is it now possible to have a machine installed with MLS policy and never run
any other policy?
> before I think removing the unconfined domain is a mistake, I would much
> rather be able to take the unconfined_domain privs away from initrc_t
> and other unconfined domains and leave unconfined_t even for MLS
> machines, when running as full administrator.
That sounds reasonable.
> > I'm also wondering whether any of the $1_crond_t domains actually do any
> > good.
>
> Fedora does not use $1_crond_t any longer.
So staff_t cron jobs run as staff_t etc?
OK, I'll do the same for Lenny.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development