[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] A new policy rpm for Atomic?

On 06/27/2016 02:04 AM, Miroslav Grepl wrote:
Hi guys,
I am finally looking for opened Atomic issues with SELinux for what we
came with seatomic and I want to move it forward. My idea is we could
start to ship selinux-policy-atomic.rpm based on the
selinux-policy-targeted where we could reduce the number of types and
add possible needed changes.

For example


is a good example. If we add a new label we will have an issue because
we don't have "mac_admin" for unconfined_service_t.

So we could start to discuss how it is possible to ship new policy on
Atomic to solve these urgent issues.

Can you think guys about a way how to do it? Can you identify possible
issues with that?

Thank you,

I guess we could ask is it important or not. The main reason to stop unconfined processes
from having mac_admin is to stop typos when a user does something like

chcon -t http_sys_content_t badexample.html

Probably not something that will often be done on atomic platform. Other option is to just have install_t and install_exec_t and only give this to the domains that atomic host uses for installing new versions
of policy.

Handling docker and container context will be interesting, since we could finally break away from badly named types like svirt_lxc_net_t and svirt_sandbox_file_t. (container_net_t and container_image_t?)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]