|
On 07/07/2016 04:59 PM, Richard W.M.
Jones wrote:
I kind-of understand why they don't like it: "placing an invisible object in a special location disables the security system".On Wed, Jul 06, 2016 at 02:52:34PM +0000, Zbigniew Jędrzejewski-Szmek wrote:That patch is the answer to the (repeated) bug reports that relabelling fails if enforcing=1 and the labels are sufficiently messed up. Doing the relabel in permissive mode, without ever going to enforcing mode, seems like the most reliable way out in this case. Starting in enforcing mode first, and then switching back to permissive later is a complication that increased chances of failure.Upstream SELinux have comprehensively rejected this approach. They do not want to have the presence of /.autorelabel cause SELinux to permissive mode. On the other hand, what is their alternative solution? |
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
