Daniel J Walsh wrote: > fixfiles.cron causes more problems than it solves. It made little sense > in targeted policy. <snip> I understand. But fixfiles.cron will be useful for users who understands SELinux well. I hope the script is included in somewhere. > fixfiles will report these as errors. So until someone comes up > with a better way to handle these situations I thought it better to not > install it any longer. Integrity of labeling is critical for SELinux, it should be solved. I think there are two choice, one is to modify policy and the other is to modify fixfiles. - Changing policy: For example, if we do not want label of key file to be never changed by setfiles, declare type "key_t" with attribute, like type key_t, dontchange; And make setfiles(or fixfiles) run as setfiles_t. setfiles_t are configured to be unable to modify label for neverchange attribute. - Changing fixfiles: There is exclude list in fixfiles.cron. For example the content of the list is "httpd_user_script_rw_t" and "gpgkey_t". fixfiles skips files that have label in exclude list. Changing policy is more "MAC" but will take more time to modify and side effect will be bigger. --- Yuichi Nakamura Japan SELinux Users Group(JSELUG) http://www.selinux.gr.jp/
