On 02/23/2010 10:42 AM, Stephen Smalley wrote:
On Tue, 2010-02-23 at 10:30 -0800, Justin P. mattock wrote:
On 02/23/2010 10:01 AM, Stephen Smalley wrote:
On Tue, 2010-02-23 at 09:41 -0800, Justin P. mattock wrote:
On 02/23/2010 08:10 AM, Stephen Smalley wrote:
On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote:
Would the proper solution be to add a transition to put that script in the right context when run from a shell?
No. I think we just need to drop the transition to sysadm_t altogether
(at least in the ifdef suse case) and have userspace explicitly arrange
the transition for single-user mode (ala sulogin).
out of curiosity during booting up I'm seeing
a mess load of *.sh files being called
before the policy is loaded.
looking into this I'm seeing them in /lib/mkinitrd/scripts
before I go and mess around with initrd
what are the thoughts on this area?
That's ok - I wouldn't worry about that.
As I said, I think the solution here is just to disable the transition
to sysadm_t, at least if DISTRO=suse.
alright.. in regards to sysadm_t
a quick google found something
similar to what might be happening:
http://www.engardelinux.org/modules/index/list_archives.cgi?list=selinux&page=1000.html&month=2008-03
That was the original discussion that led to the logic you see in
init.te today. In any event, I've taken this up as a separate issue on
refpolicy list.
alright..
I'll look to file some bugs at suse
for pam.d, the config file with the
permissions being that cause libselinux to default
to targeted. and any other that I can think of.
Justin P. mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
