From: russell@coker.com.au (Russell Coker)
Date: Sat, 27 Sep 2008 06:34:27 +1000
Subject: [refpolicy] admin_firstboot.patch
In-Reply-To: <48DCDBAA.8030801@redhat.com>
References: <48DAA8FF.3000509@redhat.com>
	<200809260700.26279.russell@coker.com.au>
	<48DCDBAA.8030801@redhat.com>
Message-ID: <200809270634.29663.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Friday 26 September 2008 22:55, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >> Probably not, although there may be some transitions for firstboot_t
> >> which are not there for unconfined_t.  Both are unconfined domains.
> >
> > Why would you want such a transition?
>
> Well we also have the problem of machines without the unconfined domain.
>  (MLS, Strict).  So I am not sure how to fix those.  As I have stated

Is it now possible to have a machine installed with MLS policy and never run 
any other policy?

> before I think removing the unconfined domain is a mistake, I would much
> rather be able to take the unconfined_domain privs away from initrc_t
> and other unconfined domains and leave unconfined_t even for MLS
> machines, when running as full administrator.

That sounds reasonable.

> > I'm also wondering whether any of the $1_crond_t domains actually do any
> > good.
>
> Fedora does not use $1_crond_t any longer.

So staff_t cron jobs run as staff_t etc?

OK, I'll do the same for Lenny.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development