Re: idea: setfiles to exclude specific type

[Daniel J Walsh <dwalsh@redhat.com>]

Yuichi Nakamura wrote:

>Hello.
>
>I add setfiles "-x" option.
>I attach my idea in "setfiles.diff".
>
>-x option is used to exclude specified type.
>
>For example,
># setfiles file_contexts /home -x httpd_user_rw_t
>setfiles skips relabeling files that have "httpd_user_rw_t".
>
>The reason why this option is necessary is following.
>I heard that fixfiles.cron is removed, because unwanted alerts are displayed.
>In some case, types must be preserved.
>http://www.redhat.com/archives/fedora-selinux-list/2004-November/msg00061.html
>
>But I think fixfiles.cron is useful, and hope it is included again.
>Because integrity of label is critical for SELinux.
>
>I think to suppress unwanted alerts, 
>it is necessary to add new option in setfiles and modify fixfiles.
>
>Does it sound reasonable?
>
>---
>Yuichi Nakamura
>Japan SELinux Users Group(JSELUG)
>http://www.selinux.gr.jp/
>  
>
Is there any way we could get a list of "variable policy" from the 
loaded context?  Or should we write a file with this in it.

IE,  It would be nice to create an attribute (save_context???)  That we 
could assign to a file context, and have setfiles/restorcon ignore if a 
file is se to this context?    So httpd_???_context_rw_t, gpg_t, 
ssh_key_t, user_tmp_t and others could be ignored if setfiles comes upon 
them on a relabel or check?

I guess we could populate a context file via a grep during policy build.

Ideas?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.