From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 13 Sep 2012 13:42:15 -0400 Subject: [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t In-Reply-To: <1347552568.2915.30.camel@d30.localdomain> References: <1347406308-20976-1-git-send-email-bigon@debian.org> <1347468575.2915.16.camel@d30.localdomain> <5051FD8F.9020801@redhat.com> <1347552568.2915.30.camel@d30.localdomain> Message-ID: <50521AF7.90906@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/13/12 12:09, Dominick Grift wrote: > > > On Thu, 2012-09-13 at 11:36 -0400, Daniel J Walsh wrote: >> On 09/12/2012 12:49 PM, Dominick Grift wrote: >>> >>> >>> On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote: >>>> From: Laurent Bigonville >>>> >>>> mdadm is now creating map file under /run/mdadm/map --- raid.fc | 1 + >>>> 1 file changed, 1 insertion(+) >>>> >>>> diff --git a/raid.fc b/raid.fc index ed9c70d..e3c8bfb 100644 --- >>>> a/raid.fc +++ b/raid.fc @@ -4,3 +4,4 @@ /sbin/mdmpd -- >>>> gen_context(system_u:object_r:mdadm_exec_t,s0) >>>> >>>> /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) >>>> +/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0) >>> >>> I think its probably best to drop mdadm_map_t and make it an alias of >>> mdadm_var_run_t instead >>> >>> I have some changes from both myself and fedora for raid module in the >>> pipeline. >>> >>> It sucks though because both fedora as well as refpolicy made mdadm_t a >>> unconfined type. That basically makes it almost impossible for us to >>> develop it further and receive feedback on it. >>> >> Dominick lets turn that off in Rawhide. >> > > That is a good idea. I would like to hear pebenito' opinion about > removing it in refpolicy as well. > > what caused refpolicy to make mdadm_t a unconfined domain in the first > place? I'm fine with it. I suspect its a remnant of the original targeted policy where only network-facing services were confined. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com