On Fri, 2006-04-14 at 13:25 -0400, Daniel J Walsh wrote:
Stephen Smalley wrote:
> On Fri, 2006-04-14 at 10:53 -0400, Daniel J Walsh wrote:
>
>> Please turn on restorecond
>>
>> chkconfig --add restorecond
>> service restorecond start
>>
>> We are not transitioning to mount_t from unconfined_t because it causes
>> lots of other problems such as
>>
>> mount > ~/mymounts failing etc. This is the type of problems
>> restorecond is designed to fix.
>>
>
> Hmmm..why not create a user_mount_t domain and transition to it from
> unconfined_t, and let it write to user home directory types? While
> leaving mount_t alone. Then you can define a type transition on
> user_mount_t etc_t:file etc_runtime_t. Relying on restorecond for
> something that can be easily addressed via a type transition seems
> wrong.
>
>
You can do that but I would suggest you create a unconfined_mount_t and
allow it everything unconfined_t can do. Otherwise we end up with
people mounting files in random places or outputting mount >>
/var/mounts whatever. I think very few userspace tools should
transition, because when they do we end up with lots of bug reports.
Alternatively we could just make mount_t unconfined. Without a mount
transition, anyone that runs mount will most likely be unconfined
already. I don't think that it needs everything that unconfined_t has,
since basically the only thing that unconfined_t has over the unconfined
macro is some transitions, and mount shouldn't need to transition to any
more than it already has.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150