From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 26 Sep 2008 08:55:06 -0400 Subject: [refpolicy] admin_firstboot.patch In-Reply-To: <200809260700.26279.russell@coker.com.au> References: <48DAA8FF.3000509@redhat.com> <200809251713.11227.russell@coker.com.au> <48DBF0C5.4040908@redhat.com> <200809260700.26279.russell@coker.com.au> Message-ID: <48DCDBAA.8030801@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Russell Coker wrote: > On Friday 26 September 2008 06:12, Daniel J Walsh wrote: >> Russell Coker wrote: >>> On Thursday 25 September 2008 06:54, Daniel J Walsh > wrote: >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patc >>>> h >>>> >>>> Remove TODO, If we have not done it yet we should forgetabout it >>>> >>>> Needs to run as an xserver_unconfined >>> What is the point of having a firstboot_t? Why not just make it a >>> typealias for unconfined_t? >> Probably not, although there may be some transitions for firstboot_t >> which are not there for unconfined_t. Both are unconfined domains. > > Why would you want such a transition? > Well we also have the problem of machines without the unconfined domain. (MLS, Strict). So I am not sure how to fix those. As I have stated before I think removing the unconfined domain is a mistake, I would much rather be able to take the unconfined_domain privs away from initrc_t and other unconfined domains and leave unconfined_t even for MLS machines, when running as full administrator. Tools like rpm and dpkg, firstboot are almost always going to need to be unconfined. file_trans is what I was talking about. Making sure files created in /etc have the right context. We can experiment with removing firstboot policy after F10 is released, to make sure it does not cause any problems. > firstboot is used to configure firewalls and things, being able to configure > them as unconfined_t is desirable and probably necessary. > > From a high-level concept I can't imagine why you would want firstboot_t > having any transition that unconfined_t lacks. > > In terms of reducing policy size (and therefore memory use and disk space), > removing needless unconfined domains is the best thing to do. > > A recent change that I've made is removing unconfined_crond_t and making > unconfined cron jobs run as unconfined_t. > > I'm also wondering whether any of the $1_crond_t domains actually do any good. > Fedora does not use $1_crond_t any longer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjc26oACgkQrlYvE4MpobPALQCggiaj+TVbCDBcXx35WtzI25l+ BP8AoKS20L3NUo8zuOWZMA+558IcrY9+ =Ni/E -----END PGP SIGNATURE-----