From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 09 Dec 2008 08:43:18 -0500 Subject: [refpolicy] kernel_corecommands.patch In-Reply-To: <493A777C.3010409@martinorr.name> References: <492C6F92.3060408@redhat.com> <1228258287.9691.380.camel@gorn> <493A777C.3010409@martinorr.name> Message-ID: <493E75F6.5020604@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Orr wrote: > On 02/12/08 22:51, Christopher J. PeBenito wrote: >> On Tue, 2008-11-25 at 16:35 -0500, Daniel J Walsh wrote: >>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch >>> >>> Add bin_t for ConsoleKit scripts >> Merged, with some rearrangement. > > It is not clear to me - why should these be labelled as bin_t instead of > consolekit_exec_t? Are they run by anything other than consolekit? > > Best wishes, > not currently, but we do not always label all binaries with a context that can cause a transition. And theoretically these scripts could be used by another application. Just because a script is labeled bin_t and can be executed by a confined domain, does not mean it adds any privs to the confined domain. bin_t apps will execute in the current domain. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk+dfYACgkQrlYvE4MpobOefACfUaDejpp4pNWIVfF8CkID3in4 72wAnRJbvS4BZoUiINyDFr2lfdhIoXqN =xek3 -----END PGP SIGNATURE-----