SELinux enforcing disallows opening floppy drive in Nautilus
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 14 17:25:00 UTC 2006
Stephen Smalley wrote:
> On Fri, 2006-04-14 at 10:53 -0400, Daniel J Walsh wrote:
>
>> Please turn on restorecond
>>
>> chkconfig --add restorecond
>> service restorecond start
>>
>> We are not transitioning to mount_t from unconfined_t because it causes
>> lots of other problems such as
>>
>> mount > ~/mymounts failing etc. This is the type of problems
>> restorecond is designed to fix.
>>
>
> Hmmm..why not create a user_mount_t domain and transition to it from
> unconfined_t, and let it write to user home directory types? While
> leaving mount_t alone. Then you can define a type transition on
> user_mount_t etc_t:file etc_runtime_t. Relying on restorecond for
> something that can be easily addressed via a type transition seems
> wrong.
>
>
You can do that but I would suggest you create a unconfined_mount_t and
allow it everything unconfined_t can do. Otherwise we end up with
people mounting files in random places or outputting mount >>
/var/mounts whatever. I think very few userspace tools should
transition, because when they do we end up with lots of bug reports.
More information about the fedora-selinux-list
mailing list