-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
david@xxxxxxxxxxx wrote:
> Anaconda is a RH installation program, RH should know their own program and
> the changes are quite trivial
>
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.0/policy/modules/admin/anaconda.te
> --- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/admin/anaconda.te 2008-07-15 14:05:12.000000000 -0400
> @@ -31,16 +31,11 @@
> modutils_domtrans_insmod(anaconda_t)
>
> seutil_domtrans_semanage(anaconda_t)
> -
> -unconfined_domain(anaconda_t)
> +seutil_domtrans_setsebool(anaconda_t)
>
> unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
>
> optional_policy(`
> - dmesg_domtrans(anaconda_t)
> -')
> -
> -optional_policy(`
> kudzu_domtrans(anaconda_t)
> ')
>
> @@ -58,5 +53,9 @@
> ')
>
> optional_policy(`
> + unconfined_domain(anaconda_t)
> +')
> +
> +optional_policy(`
> usermanage_domtrans_admin_passwd(anaconda_t)
> ')
>
The main goal of this patch was to get anaconda AVC messages out of the
log files. Anaconda has to run the installation in permissive mode so
we need to avoid avc messages by making it unconfined and avoid
transitions where ever possible. The goal is to have /root/anaconda.log
without any SELinux errors. As for Russells comments we might want to
make this more of a generic installer policy?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiFs5kACgkQrlYvE4MpobPyfgCgm2z8rAQUfh2OGMKVjeInIWtV
nJUAn35LGrkmmxctLPKDEqvQ2g78+BpC
=qC6x
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
