Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

James Morris jmorris at namei.org
Sat Jul 19 08:16:41 UTC 2008


On Thu, 17 Jul 2008, Daniel J Walsh wrote:

> We have just added a new access called open.  Before we had only
> read/write.  You could get read/write errors from open file descriptors
> being passed around as explained above.  useradd dwalsh > ~/myhome  will
> generate an Read/write avc.  This is not some thing to worry about,
> however if named suddenly got an "open" avc on user_home_t you know you
> have a problem.  Since named should never be opening files in the homedir.

Btw, for those that missed it, I covered the new open perm here:
http://james-morris.livejournal.com/31714.html

One effect of this is that I think you could say it makes SELinux a 
lot more Unix-y.


- James
-- 
James Morris
<jmorris at namei.org>




More information about the devel mailing list