Re: [refpolicy-patch 02/23] anaconda policy update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2008-07-22 at 06:16 -0400, Daniel J Walsh wrote:
> david@xxxxxxxxxxx wrote:
> > Anaconda is a RH installation program, RH should know their own program and
> > the changes are quite trivial
> > 
> > diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.0/policy/modules/admin/anaconda.te
> > --- nsaserefpolicy/policy/modules/admin/anaconda.te	2008-07-10 11:38:46.000000000 -0400
> > +++ serefpolicy-3.5.0/policy/modules/admin/anaconda.te	2008-07-15 14:05:12.000000000 -0400
> > @@ -31,16 +31,11 @@
> >  modutils_domtrans_insmod(anaconda_t)
> >  
> >  seutil_domtrans_semanage(anaconda_t)
> > -
> > -unconfined_domain(anaconda_t)
> > +seutil_domtrans_setsebool(anaconda_t)
> >  
> >  unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
> >  
> >  optional_policy(`
> > -	dmesg_domtrans(anaconda_t)
> > -')
> > -
> > -optional_policy(`
> >  	kudzu_domtrans(anaconda_t)
> >  ')
> >  
> > @@ -58,5 +53,9 @@
> >  ')
> >  
> >  optional_policy(`
> > +	unconfined_domain(anaconda_t)
> > +')
> > +
> > +optional_policy(`
> >  	usermanage_domtrans_admin_passwd(anaconda_t)
> >  ')
> > 
> The main goal of this patch was to get anaconda AVC messages out of the
> log files.  Anaconda has to run the installation in permissive mode so
> we need to avoid avc messages by making it unconfined and avoid
> transitions where ever possible. The goal is to have /root/anaconda.log
> without any SELinux errors.  As for Russells comments we might want to
> make this more of a generic installer policy?

At the moment, I'm not overly concerned about having anaconda in the
tree, since its unconfined, and rarely gets updates.  Is there even
another installer that runs with SELinux enabled, like anaconda during a
RH/Fedora install?

-- 
Chris PeBenito
<pebenito@xxxxxxxxxx>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux