-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Every domain is now reading /sys/devices/system/cpu/online because of changes to glibc. We are also seeing domains that need write access. For example > https://bugzilla.redhat.com/show_bug.cgi?id=685096 > > for https://bugzilla.redhat.com/show_bug.cgi?id=685096 (IP over > Infiniband support for NetworkManager), NM needs to be able to > write to /sys/class/net/ib*/mode. audit2allow says: > > allow NetworkManager_t sysfs_t:file write; It seems we need a better way of labeling files under /sys. genfscon only seems to work at the top level. Allowing all domains to read sysfs_t does not seem like the correct solution, and allow NetworkManager to write anywhere on /sys is probably not good either. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7nt5oACgkQrlYvE4MpobOyfwCfav6hMLyB5kPcAJvW81zhqC7o s30AoJv2aI8RmLi8gDq2gGMjadiyLziP =PVUp -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
