From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 09 Dec 2008 08:43:18 -0500
Subject: [refpolicy] kernel_corecommands.patch
In-Reply-To: <493A777C.3010409@martinorr.name>
References: <492C6F92.3060408@redhat.com> <1228258287.9691.380.camel@gorn>
	<493A777C.3010409@martinorr.name>
Message-ID: <493E75F6.5020604@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Orr wrote:
> On 02/12/08 22:51, Christopher J. PeBenito wrote:
>> On Tue, 2008-11-25 at 16:35 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
>>>
>>> Add bin_t for ConsoleKit scripts
>> Merged, with some rearrangement.
> 
> It is not clear to me - why should these be labelled as bin_t instead of
> consolekit_exec_t?  Are they run by anything other than consolekit?
> 
> Best wishes,
> 
not currently, but we do not always label all binaries with a context
that can cause a transition.  And theoretically these scripts could be
used by another application.  Just because a script is labeled bin_t and
can be executed by a confined domain, does not mean it adds any privs to
the confined domain.  bin_t apps will execute in the current domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk+dfYACgkQrlYvE4MpobOefACfUaDejpp4pNWIVfF8CkID3in4
72wAnRJbvS4BZoUiINyDFr2lfdhIoXqN
=xek3
-----END PGP SIGNATURE-----