From: russell@coker.com.au (Russell Coker) Date: Fri, 26 Sep 2008 07:00:24 +1000 Subject: [refpolicy] admin_firstboot.patch In-Reply-To: <48DBF0C5.4040908@redhat.com> References: <48DAA8FF.3000509@redhat.com> <200809251713.11227.russell@coker.com.au> <48DBF0C5.4040908@redhat.com> Message-ID: <200809260700.26279.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Friday 26 September 2008 06:12, Daniel J Walsh wrote: > Russell Coker wrote: > > On Thursday 25 September 2008 06:54, Daniel J Walsh wrote: > >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patc > >>h > >> > >> Remove TODO, If we have not done it yet we should forgetabout it > >> > >> Needs to run as an xserver_unconfined > > > > What is the point of having a firstboot_t? Why not just make it a > > typealias for unconfined_t? > > Probably not, although there may be some transitions for firstboot_t > which are not there for unconfined_t. Both are unconfined domains. Why would you want such a transition? firstboot is used to configure firewalls and things, being able to configure them as unconfined_t is desirable and probably necessary. >From a high-level concept I can't imagine why you would want firstboot_t having any transition that unconfined_t lacks. In terms of reducing policy size (and therefore memory use and disk space), removing needless unconfined domains is the best thing to do. A recent change that I've made is removing unconfined_crond_t and making unconfined cron jobs run as unconfined_t. I'm also wondering whether any of the $1_crond_t domains actually do any good. -- russell at coker.com.au http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development