Re: [Libguestfs] selinux question and answer

On Thu, 2009-08-13 at 10:22 +0100, Matthew Booth wrote: > On 12/08/09 20:04, Richard W.M. Jones wrote: >> On Wed, Aug 12, 2009 at 02:41:16PM -0400, Daniel J Walsh wrote: >>> F11, F12, F..., RHEL6 ... >>> setcon("unconfined_u:unconfined_r:unconfined_t:s0") >>> >>> RHEL5 >>> setcon("user_u:system_r:unconfined_t:s0") >>> >>> Would be valid, then you do not need to worry about executing a shell. >> >> Matt maybe we want this patch after all? >> > > Ok. We have a use case (/etc/mtab) which would be broken without this. > I'd go ahead and add it. > > I'm inclined to try setcon to an ordered list of targets, stopping when > one works. So far, I think we've got: > > 1. unconfined_u:unconfined_r:unconfined_t:s0 > 2. user_u:system_r:unconfined_t:s0 3. sysadm_u:sysadm_r:sysadm_t:s0 > 4. system_u:object_r:unconfined_t:s0 5. system_u:object_r:sysadm_t:s0 > sysadm_t was mentioned on our call yesterday as being the root login > domain for an MLS policy. What's a good set for MLS?