From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 21 Jul 2009 10:44:12 -0400
Subject: [refpolicy] apps_livecd.patch
In-Reply-To: <1248185504.2914.443.camel@gorn.columbia.tresys.com>
References: <4A155D58.3000202@redhat.com>
	<1248185504.2914.443.camel@gorn.columbia.tresys.com>
Message-ID: <4A65D43C.1010100@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/21/2009 10:11 AM, Christopher J. PeBenito wrote:
> On Thu, 2009-05-21 at 09:55 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_livecd.patch
>>
>> Policy for the livecd command, allows the creation of images for
>> different OS Versions then the host machine.
> 
> I don't understand why this needs its own policy.
> 
livecd policy is used to allow it to apply labels that the host machine does not understand.  So if I am running livecd on a F10 box, and I want to build a livecd for F11, livecd will write context that F10 does not understand.  It should be the only process allowed to write these labels.

seutil_domtrans_setfiles_mac(livecd_t)

Is the key.