From mboxrd@z Thu Jan  1 00:00:00 1970
From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 12 Jul 2010 13:33:40 -0400
Subject: [refpolicy] apps_livecd.patch
In-Reply-To: <4C3B2BF6.1010208@gmail.com>
References: <4C06B9EA.8080208@redhat.com> <4C348F2F.4090306@tresys.com>
	<4C348FCA.8070109@gmail.com> <4C3B2A02.7080209@redhat.com>
	<4C3B2BF6.1010208@gmail.com>
Message-ID: <4C3B51F4.70601@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/12/2010 10:51 AM, Dominick Grift wrote:
> On 07/12/2010 04:43 PM, Daniel J Walsh wrote:
>> On 07/07/2010 10:31 AM, Dominick Grift wrote:
>>> On 07/07/2010 04:29 PM, Christopher J. PeBenito wrote:
>>>> On 06/02/10 16:07, Daniel J Walsh wrote:
>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_livecd.patch
>>>>>
>>>>> Policy for livecd tool to allow it to build alternate livecd for
>>>>> different os and policy versions.
>>>>
>>>> Merged.
>>>>
>>>
>>> This policy has a bug:
>>>
>>> +seutil_domtrans_setfiles_mac(livecd_t)
>>>
>>> should be: seutil_run_setfiles_mac(livecd_t, system_r)
>>>
>> Actually, it should be removed since the proper code is in livecd_run.
> 
> Then what is this for:
> role system_r types livecd_t;
> 
Probably should not be there.  sepolgen added it.   I guess we could
allow some tool to generate livecd via init scripts.  cobbler? But the
policy should then be livecd_run(cobbler_t, system_r)


> Also:
> 
> http://lists.fedoraproject.org/pipermail/selinux/2010-June/012699.html
> 
> 
>> Currently we don't allow system (init) processes to run this domain.
>>
>>> Because else you will hit a constraint (no role is allowed the
>>> setfiles_mac_t domain)
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> 
>