From: russell@coker.com.au (Russell Coker) Date: Sat, 27 Sep 2008 06:34:27 +1000 Subject: [refpolicy] admin_firstboot.patch In-Reply-To: <48DCDBAA.8030801@redhat.com> References: <48DAA8FF.3000509@redhat.com> <200809260700.26279.russell@coker.com.au> <48DCDBAA.8030801@redhat.com> Message-ID: <200809270634.29663.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Friday 26 September 2008 22:55, Daniel J Walsh wrote: > >> Probably not, although there may be some transitions for firstboot_t > >> which are not there for unconfined_t. Both are unconfined domains. > > > > Why would you want such a transition? > > Well we also have the problem of machines without the unconfined domain. > (MLS, Strict). So I am not sure how to fix those. As I have stated Is it now possible to have a machine installed with MLS policy and never run any other policy? > before I think removing the unconfined domain is a mistake, I would much > rather be able to take the unconfined_domain privs away from initrc_t > and other unconfined domains and leave unconfined_t even for MLS > machines, when running as full administrator. That sounds reasonable. > > I'm also wondering whether any of the $1_crond_t domains actually do any > > good. > > Fedora does not use $1_crond_t any longer. So staff_t cron jobs run as staff_t etc? OK, I'll do the same for Lenny. -- russell at coker.com.au http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development