On Tue, 2006-04-18 at 13:39 -0700, Mike Carney wrote: > I posted the following a few days ago. Some more information: > > It seems that all hald wants to do is view the root directory of the > mounted filesystem. After downloading, installing, and viewing the > policy source files, it seems rather excessive to grant hald > permission to search all directories on the mounted volume. > > Is the fix to change the policy to simply not to audit the attempts > of the hald domain to get attributes of all filesystems? No, it should be allowed to get attributes of all filesystems; otherwise, parts of the desktop will break. Didn't this already come up? > Or add a rule to always relabel the root directory of any r/w filesystem > to some standard context the hald domain is granted access to? > > Finally, there doesn't appear to be a way to convince semanage to accept > the '<<none>>' (don't recurse when relabeling) keyword when adding a > context. Is this a bug? There is no recursion inherent in file contexts - it is only if you specify a regex that has (/.*)? tail that it is applied to all files under the directory too. <<none>> is if you don't want setfiles to touch the file label at all (ever). > Guidance as to what the right thing to do would be appreciated (I don't > mind submitting a bug, just as long as I have the right information to > place in it). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
