Re: Added is_context_configurable function

[Daniel J Walsh <dwalsh@redhat.com>]

Stephen Smalley wrote:

>On Tue, 2005-01-11 at 11:12, Daniel J Walsh wrote:
>  
>
>>I think this is more flexible, in that it allows users to specify the 
>>location of these files versus policy.
>>IE I create a new top level directory /rsync which I want to label 
>>ftp_anon_t, I don't want to have to specify
>>ftp_anon_t is an alternative to default_t.
>>    
>>
>
>You could certainly specify a /rsync/(/.*)? entry in file_contexts that
>had both contexts listed.  Ordinary user shouldn't be able to
>create/populate /rsync anyway without administrative setup.
>
>  
>
Using your method for every file he puts under /var/www/html now needs 
him to write some special rule into file_context file?
I don't like the usability of that.

>Failing to associate the context with a location in any manner means
>that setfiles/restorecon will fail to fix the label on e.g. /etc/shadow
>if it happens to get one of these configurable types at some point. 
>Admittedly, getting to that point requires some kind of serious error in
>the first place, but running fixfiles relabel will no longer correct
>such errors for you.
>
>BTW, customizable or alternatives seems better than configurable.
>
>  
>
I was going to put in a -F qualifier which would allow you to override 
the configurable_types.  Also
using -v -v will show you all files with configurable types

restorecon -R -v /var
Quietly leave configurables

restorecon -R -v -v /var
Would leave configurable entries but report them

restorecon -F -R -v /var
Will work like current restorecon works.


Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.