On 05/15/2014 10:21 AM, Nalin Dahyabhai wrote:
> On Wed, May 14, 2014 at 10:06:07PM +0200, Lennart Poettering wrote:
>> Well, the entirety of /boot should get the same selinux label, which is
>> perfectly suppported by the vfat kernel support.
> For whatever reason, the policy on my Raw Hide box locks down System.map
> more tightly than it does everything else:
>
> # semanage fcontext -l | grep ^/boot
> /boot all files system_u:object_r:boot_t:s0
> /boot/.* all files system_u:object_r:boot_t:s0
> /boot/System\.map(-.*)? regular file system_u:object_r:system_map_t:s0
> /boot/\.journal all files <<None>>
> /boot/a?quota\.(user|group) regular file system_u:object_r:quota_db_t:s0
> /boot/efi(/.*)?/System\.map(-.*)? regular file system_u:object_r:system_map_t:s0
> /boot/lost\+found directory system_u:object_r:lost_found_t:s0
> /boot/lost\+found/.* all files <<None>>
>
> Cheers,
>
> Nalin
Probably historical reasons. These are the rules specific to this type.
allow user_t system_map_t : file { ioctl read getattr lock open } ;
allow klogd_t system_map_t : file { ioctl read getattr lock open } ;
allow initrc_t system_map_t : file { ioctl read getattr lock open } ;
allow insmod_t system_map_t : file { ioctl read getattr lock open } ;
allow nagios_script_t system_map_t : file { ioctl read getattr lock
open } ;
allow bootloader_t system_map_t : file { ioctl read getattr lock open
} ;
allow nagios_t system_map_t : file { ioctl read getattr lock open } ;
allow depmod_t system_map_t : file { ioctl read getattr lock open } ;
allow xend_t system_map_t : file { ioctl read getattr lock open } ;
allow ipsec_mgmt_t system_map_t : file { ioctl read getattr lock open
} ;
allow staff_t system_map_t : file { ioctl read getattr lock open } ;
allow syslogd_t system_map_t : file { ioctl read getattr lock open } ;
We pretty much allow all of these domains to read system_map_t and
boot_t. I don't see anyreason for the alternate label.
--
desktop mailing list
desktop@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/desktop
