Daniel J Walsh wrote: > I have removed the disable_trans booleans from Rawhide, and FC7 > Test3. I wanted to remove these booleans because they cause as many > problems as they solve. If you turn off certain domains, it can > change the labeling on the system and cause other confined domains to > blow up. > > If you syslog_disable_trans, the devlog_t context is wrong and any > confined app that tries to syslog will no longer work. > > The best thing to do when confronted with an AVC would be to figure > out if this is expected behavior, if yes then report it as a bug to > upstream or to the distribution and create a loadable policy module > that handles the problem. > > If there are so many problems or a user just does not want to deal > with it I figured we could just load a policy that sets the domain as > an unconfined_domain. > > If you wanted to run samba as an unconfined domain you would build a > policy module > > policy_module(mysamba, 1.0) > > require { > type smbd_t; > } > > unconfined_domain(smbd_t) > > > Compile it > > make -f /usr/share/selinux/devel/Makefile > > And load it > > semodule -i mysamba.pp > > Only problem... > > semodule -i mysamba.pp > libsepol.permission_copy_callback: Module mysamba depends on > permission * in class capability, not satisfied > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > But once we fix the interface this should work. > > I think this is a better solution, we could even instrument > system-config-selinux or audit2allow to generate this policy module > on the fly. I think this is better than disable_trans or setting up a > boolean for all confined domains to go to unconfined. > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. Attached patch fixes the semodule problem although it makes changing the policy to add editing access_vectors more complicated.