[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] A new policy rpm for Atomic?

From: Daniel J Walsh <dwalsh redhat com>
To: Miroslav Grepl <mgrepl redhat com>, atomic-devel <atomic-devel projectatomic io>
Subject: Re: [atomic-devel] A new policy rpm for Atomic?
Date: Tue, 28 Jun 2016 04:12:57 -0700



On 06/27/2016 02:04 AM, Miroslav Grepl wrote:

Hi guys,
I am finally looking for opened Atomic issues with SELinux for what we
came with seatomic and I want to move it forward. My idea is we could
start to ship selinux-policy-atomic.rpm based on the
selinux-policy-targeted where we could reduce the number of types and
add possible needed changes.

For example

https://bugzilla.redhat.com/show_bug.cgi?id=1309075

is a good example. If we add a new label we will have an issue because
we don't have "mac_admin" for unconfined_service_t.

So we could start to discuss how it is possible to ship new policy on
Atomic to solve these urgent issues.

Can you think guys about a way how to do it? Can you identify possible
issues with that?


Thank you,

I guess we could ask is it important or not. The main reason to stopunconfined processes

from having mac_admin is to stop typos when a user does something like

chcon -t http_sys_content_t badexample.html

Probably not something that will often be done on atomic platform. Otheroption is to just haveinstall_t and install_exec_t and only give this to the domains thatatomic host uses for installing new versions

of policy.

Handling docker and container context will be interesting, since wecould finally break away from badly namedtypes like svirt_lxc_net_t and svirt_sandbox_file_t. (container_net_tand container_image_t?)

Follow-Ups:
- Re: [atomic-devel] A new policy rpm for Atomic?
  - From: Miroslav Grepl

References:
- [atomic-devel] A new policy rpm for Atomic?
  - From: Miroslav Grepl

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]