Re: sVirt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sunday 05 July 2009 11:55:04 Paul Howarth wrote:
> On Sun, 5 Jul 2009 11:36:05 +0100
>
> "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote:
> > > 4. For ISO files, maybe there should be a new/special file context
> > > which allows sharing between processes ... it would be explicit but
> > > it would allow sharing ... maybe something like "public_content_t".
> >
> > There is already a label for read only guest images
> >
> >   system_u:object_r:svirt_image_t:s0
> >
> > it shouldn't be much work for you to add a custom SELinux plugin that
> > gives httpd_t access to content labelled svirt_image_t. Ask the
> > fedora-selinux mailing list for assistance if needed
>
> Couldn't an ISO image that's already public_content_t (or even
> public_content_rw_t) be left alone, as that type is already well-known
> and used for sharing this type of content by various means?

Yes, exactly my point.

I believe that changing any file context should not be done.  Depend on the 
rules in the security policy or any added with semanage apply.  And then let 
something like public_content_t and public_content_rw_t be OK too.

Mmmm, this makes so much sense that I think I will bugzilla this.

Gene

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux