On Fri, 2006-04-14 at 13:25 -0400, Daniel J Walsh wrote: > Stephen Smalley wrote: > > On Fri, 2006-04-14 at 10:53 -0400, Daniel J Walsh wrote: > > > >> Please turn on restorecond > >> > >> chkconfig --add restorecond > >> service restorecond start > >> > >> We are not transitioning to mount_t from unconfined_t because it causes > >> lots of other problems such as > >> > >> mount > ~/mymounts failing etc. This is the type of problems > >> restorecond is designed to fix. > >> > > > > Hmmm..why not create a user_mount_t domain and transition to it from > > unconfined_t, and let it write to user home directory types? While > > leaving mount_t alone. Then you can define a type transition on > > user_mount_t etc_t:file etc_runtime_t. Relying on restorecond for > > something that can be easily addressed via a type transition seems > > wrong. > > > > > You can do that but I would suggest you create a unconfined_mount_t and > allow it everything unconfined_t can do. Otherwise we end up with > people mounting files in random places or outputting mount >> > /var/mounts whatever. I think very few userspace tools should > transition, because when they do we end up with lots of bug reports. Alternatively we could just make mount_t unconfined. Without a mount transition, anyone that runs mount will most likely be unconfined already. I don't think that it needs everything that unconfined_t has, since basically the only thing that unconfined_t has over the unconfined macro is some transitions, and mount shouldn't need to transition to any more than it already has. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
