[refpolicy] admin_firstboot.patch

[dwalsh@redhat.com (Daniel J Walsh)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russell Coker wrote:
> On Friday 26 September 2008 06:12, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> Russell Coker wrote:
>>> On Thursday 25 September 2008 06:54, Daniel J Walsh <dwalsh@redhat.com> 
> wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patc
>>>> h
>>>>
>>>> Remove TODO, If we have not done it yet we should forgetabout it
>>>>
>>>> Needs to run as an xserver_unconfined
>>> What is the point of having a firstboot_t?  Why not just make it a
>>> typealias for unconfined_t?
>> Probably not, although there may be some transitions for firstboot_t
>> which are not there for unconfined_t.  Both are unconfined domains.
> 
> Why would you want such a transition?
> 
Well we also have the problem of machines without the unconfined domain.
 (MLS, Strict).  So I am not sure how to fix those.  As I have stated
before I think removing the unconfined domain is a mistake, I would much
rather be able to take the unconfined_domain privs away from initrc_t
and other unconfined domains and leave unconfined_t even for MLS
machines, when running as full administrator.  Tools like rpm and dpkg,
firstboot are almost always going to need to be unconfined.  file_trans
is what I was talking about.  Making sure files created in /etc have the
right context.  We can experiment with removing firstboot policy after
F10 is released, to make sure it does not cause any problems.
> firstboot is used to configure firewalls and things, being able to configure 
> them as unconfined_t is desirable and probably necessary.
> 
> From a high-level concept I can't imagine why you would want firstboot_t 
> having any transition that unconfined_t lacks.
> 
> In terms of reducing policy size (and therefore memory use and disk space), 
> removing needless unconfined domains is the best thing to do.
> 
> A recent change that I've made is removing unconfined_crond_t and making 
> unconfined cron jobs run as unconfined_t.
> 
> I'm also wondering whether any of the $1_crond_t domains actually do any good.
> 
Fedora does not use $1_crond_t any longer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjc26oACgkQrlYvE4MpobPALQCggiaj+TVbCDBcXx35WtzI25l+
BP8AoKS20L3NUo8zuOWZMA+558IcrY9+
=Ni/E
-----END PGP SIGNATURE-----