On Mon, Jul 04, 2016 at 10:25:36AM -0700, Adam Williamson wrote: > On Mon, 2016-07-04 at 16:34 +0100, Richard W.M. Jones wrote: > > I don't exactly know where to post this, but I guess I have everyone's > > attention on this thread. > > > > Attached are patches which work for me. They could really do with > > review from someone who knows what they're doing. They also need much > > more testing than I've done, but I'll be doing that myself later. > > > > The first patch (against libselinux) sets SELinux to Permissive mode > > early in boot if the /.autorelabel file is found (or autorelabel on > > the command line). > > > > The second patch (against policycoreutils in Fedora) implements the > > generator itself. > > Do we actually *need* the second patch if we have the first? I mean, my > suggestion was just to do the first patch; if we do that, do we > actually need to worry about making the relabel happen any earlier than > it currently does? Yes this thought crossed my mind too. However I think it is better to boot into the minimal target when we do a relabel, just to stop lots of other units starting. Possibly including public services which might start answering network requests while SELinux is not enforcing. In fact the current design also kinda sorta stops that, but it's not as watertight as what I did in patch #2 (assuming patch #2 is implemented correctly). > but yeah, patch #1 looks like what I wanted, so +1 for that. Note that > https://bugzilla.redhat.com/show_bug.cgi?id=1351358 is my bug > suggesting exactly that, so any update which implements patch #1 can be > marked as fixing that bug. thanks for this! I added a comment on that bug pointing at this thread, thanks! Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
