Re: Fixing /.autorelabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/07/2016 04:59 PM, Richard W.M. Jones wrote:
On Wed, Jul 06, 2016 at 02:52:34PM +0000, Zbigniew Jędrzejewski-Szmek wrote:

That patch is the answer to the (repeated) bug reports that relabelling
fails if enforcing=1 and the labels are sufficiently messed up.
Doing the relabel in permissive mode, without ever going to enforcing
mode, seems like the most reliable way out in this case. Starting in
enforcing mode first, and then switching back to permissive later
is a complication that increased chances of failure.
Upstream SELinux have comprehensively rejected this approach.  They do
not want to have the presence of /.autorelabel cause SELinux to
permissive mode.
I kind-of understand why they don't like it: "placing an invisible object in a special location disables the security system".
On the other hand, what is their alternative solution?
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux