[refpolicy] kernel_corecommands.patch
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 9 07:43:18 CST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Orr wrote:
> On 02/12/08 22:51, Christopher J. PeBenito wrote:
>> On Tue, 2008-11-25 at 16:35 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
>>>
>>> Add bin_t for ConsoleKit scripts
>> Merged, with some rearrangement.
>
> It is not clear to me - why should these be labelled as bin_t instead of
> consolekit_exec_t? Are they run by anything other than consolekit?
>
> Best wishes,
>
not currently, but we do not always label all binaries with a context
that can cause a transition. And theoretically these scripts could be
used by another application. Just because a script is labeled bin_t and
can be executed by a confined domain, does not mean it adds any privs to
the confined domain. bin_t apps will execute in the current domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk+dfYACgkQrlYvE4MpobOefACfUaDejpp4pNWIVfF8CkID3in4
72wAnRJbvS4BZoUiINyDFr2lfdhIoXqN
=xek3
-----END PGP SIGNATURE-----
More information about the refpolicy
mailing list