Re: [Libguestfs] selinux question and answer
On Thu, Aug 13, 2009 at 10:22:03AM +0100, Matthew Booth wrote:
On 12/08/09 20:04, Richard W.M. Jones wrote:
>On Wed, Aug 12, 2009 at 02:41:16PM -0400, Daniel J Walsh wrote:
>>F11, F12, F..., RHEL6 ...
>>setcon("unconfined_u:unconfined_r:unconfined_t:s0")
>>
>>RHEL5
>>setcon("user_u:system_r:unconfined_t:s0")
>>
>>Would be valid, then you do not need to worry about executing a shell.
>
>Matt maybe we want this patch after all?
>
Ok. We have a use case (/etc/mtab) which would be broken without this.
I'd go ahead and add it.
I'm inclined to try setcon to an ordered list of targets, stopping when
one works. So far, I think we've got:
1. unconfined_u:unconfined_r:unconfined_t:s0
2. user_u:system_r:unconfined_t:s0
3. system_u:object_r:unconfined_t:s0
sysadm_t was mentioned on our call yesterday as being the root login
domain for an MLS policy. What's a good set for MLS?
Could you discover the neccessary/supported targets from the semanage,
eg
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 SystemLow-SystemHigh system_r sysadm_r
user_r
system_u user s0 SystemLow-SystemHigh system_r
user_u user s0 SystemLow-SystemHigh system_r sysadm_r
user_r
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|