-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jan-Frode Myklebust wrote:
| On Wed, May 14, 2008 at 06:14:12PM -0400, Daniel J Walsh wrote:
|> |
|> | Yes, GPFS doesn't support the selinux extended attributes, so the
|> | filesystems has to be mounted with f.ex. "-o
|> | "fscontext=user_u:object_r:httpd_var_run_t" for static labelling.
|> |
|
|> The other ones are just leaked file descriptors and can be ignored.
|
| So what about the mount/umount and everything else GPFS might want to
| do in the lifetime of the system. I have no way of guessing all things
| it might want to do that could possibly be denied in a transitioning
| domain. Is my only option to manually start the fs from an interactive
| shell to get it running as unconfined ?
|
|
| -jf
You might be able to use the runcon command, or write a simple policy
modules for it.
Something like
...
# cat myapp.te
policy_module(myapp, 1.0)
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)
unconfined_domains(myapp_exec_t)
#cat myapp.fc
/usr/bin/myapp gen_context("system_u:object_r:myapp_exec_t:s0)
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myapp.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkgraqYACgkQrlYvE4MpobP68gCgoBRwcHg1+xGq++qyZCT6bhf+
YTEAn2kGm+rkgq/3uwGz9J77c8hysijo
=vF4t
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
