Paul Howarth wrote: > Daniel J Walsh wrote: >> Eric Paris wrote: >>> On Sun, 2008-05-25 at 16:20 +0100, Paul Howarth wrote: >>>> Is there some reason why the context type of /usr/sbin/mock has >>>> reverted >>>> to bin_t in F9 from unconfined_notrans_exec_t in F8? The latter still >>>> seems to work OK for me in F9 and significantly reduces the number of >>>> spurious AVCs when using mock. >>> I think Dan did it after reading some of my messages about getting >>> livecd's to work. I've since reverted it on my local livecd building >>> systems and just haven't told dan I think unconfined_notrans_exec_t is >>> the right way to go after all... >>> >>> Sorry, just still so much in progress with livecd and eventually mock... >>> >>> Dan, I think leave it as notrans for now and eventually i'm going to >>> want a custom mock/livecd type to be determined at a later date... >>> >>> (at least that's my guess...) >>> >>> -Eric >> >> I changed it back in -58, but I want to generate a mock file context >> with limited access to network for example. > > Please make network access restrictions tunable by a boolean; I tend to > leave network tests enabled in the packages I build locally in mock. > > Paul. Yes this would definitely be a tunable. I am just trying to think of ways we could protect the Fedora Infrastructure. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
