Stephen Smalley wrote:
On Thu, 2008-10-09 at 13:29 +0530, Rahul Sundaram wrote:
Hi
Since Fedora doesn't include this software, should a exception be added
to the SELinux policy?
"If you trust mplayer to run correctly, you can change the context of
the executable to unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t '/usr/bin/mplayer'". You must also change the
default file context files on the system in order to preserve them even
on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/bin/mplayer'"
I'd recommend always telling the user to run the semanage command first,
and then run restorecon /usr/bin/mplayer afterward to set it on disk,
rather than having to separately specify the type via chcon.
setroubleshoot really shouldn't ever tell the user to use chcon IMHO.
Fedora doesn't include the software, but SELinux policy already includes
contexts for it, e.g. on F-9:
# semanage fcontext -l | grep mplayer
/usr/bin/xine regular file
system_u:object_r:mplayer_exec_t:s0
/usr/bin/mplayer regular file
system_u:object_r:mplayer_exec_t:s0
/usr/lib/vmware/bin/vmplayer regular file
system_u:object_r:vmware_exec_t:s0
/usr/lib64/vmware/bin/vmplayer regular file
system_u:object_r:vmware_exec_t:s0
So if the current policy isn't right, can't we just fix it and be done
with it rather than adding extra corner cases to setroubleshoot?
Or is it that the default policy works except when using particular
binary codecs that do weird stuff?
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
