SELinux enforcing disallows opening floppy drive in Nautilus
Christopher J. PeBenito
cpebenito at tresys.com
Fri Apr 14 17:30:09 UTC 2006
On Fri, 2006-04-14 at 13:25 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > On Fri, 2006-04-14 at 10:53 -0400, Daniel J Walsh wrote:
> >
> >> Please turn on restorecond
> >>
> >> chkconfig --add restorecond
> >> service restorecond start
> >>
> >> We are not transitioning to mount_t from unconfined_t because it causes
> >> lots of other problems such as
> >>
> >> mount > ~/mymounts failing etc. This is the type of problems
> >> restorecond is designed to fix.
> >>
> >
> > Hmmm..why not create a user_mount_t domain and transition to it from
> > unconfined_t, and let it write to user home directory types? While
> > leaving mount_t alone. Then you can define a type transition on
> > user_mount_t etc_t:file etc_runtime_t. Relying on restorecond for
> > something that can be easily addressed via a type transition seems
> > wrong.
> >
> >
> You can do that but I would suggest you create a unconfined_mount_t and
> allow it everything unconfined_t can do. Otherwise we end up with
> people mounting files in random places or outputting mount >>
> /var/mounts whatever. I think very few userspace tools should
> transition, because when they do we end up with lots of bug reports.
Alternatively we could just make mount_t unconfined. Without a mount
transition, anyone that runs mount will most likely be unconfined
already. I don't think that it needs everything that unconfined_t has,
since basically the only thing that unconfined_t has over the unconfined
macro is some transitions, and mount shouldn't need to transition to any
more than it already has.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the fedora-selinux-list
mailing list