On Monday 06 July 2009 09:11:17 Gene Czarcinski wrote: > On Sunday 05 July 2009 11:55:04 Paul Howarth wrote: > > On Sun, 5 Jul 2009 11:36:05 +0100 > > > > "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote: > > > > 4. For ISO files, maybe there should be a new/special file context > > > > which allows sharing between processes ... it would be explicit but > > > > it would allow sharing ... maybe something like "public_content_t". > > > > > > There is already a label for read only guest images > > > > > > system_u:object_r:svirt_image_t:s0 > > > > > > it shouldn't be much work for you to add a custom SELinux plugin that > > > gives httpd_t access to content labelled svirt_image_t. Ask the > > > fedora-selinux mailing list for assistance if needed > > > > Couldn't an ISO image that's already public_content_t (or even > > public_content_rw_t) be left alone, as that type is already well-known > > and used for sharing this type of content by various means? > > Yes, exactly my point. > > I believe that changing any file context should not be done. Depend on the > rules in the security policy or any added with semanage apply. And then > let something like public_content_t and public_content_rw_t be OK too. > > Mmmm, this makes so much sense that I think I will bugzilla this. https://bugzilla.redhat.com/show_bug.cgi?id=509834 -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
