restorecon and targeted policy
Russell Coker
russell at coker.com.au
Mon Apr 4 15:09:06 UTC 2005
It seems that restorecon needs to be handled in the targeted policy in the
same way as udev.
I've just been working on setting up kickstart installs for FC4T1 machines
with strict policy. I use lokkit in the kickstart %post to convert it to
strict policy before the first boot. When it boots up the rc.sysinit calls
to restorecon fail if unlimitedRC is not defined (IE a more strict than
default config of the strict policy).
We probably don't need to actually define types for this, just adding
appropriate typealias rules should do as long as the .fc file is there.
The same applies to fsadm and mount. It will also apply to anything else that
can be run before all file systems are mounted.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list