Daniel J Walsh
dwalsh at redhat.com
Fri Sep 26 07:55:06 CDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Russell Coker wrote:
> On Friday 26 September 2008 06:12, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> Russell Coker wrote:
>>> On Thursday 25 September 2008 06:54, Daniel J Walsh <dwalsh at redhat.com>
>>>> Remove TODO, If we have not done it yet we should forgetabout it
>>>> Needs to run as an xserver_unconfined
>>> What is the point of having a firstboot_t? Why not just make it a
>>> typealias for unconfined_t?
>> Probably not, although there may be some transitions for firstboot_t
>> which are not there for unconfined_t. Both are unconfined domains.
> Why would you want such a transition?
Well we also have the problem of machines without the unconfined domain.
(MLS, Strict). So I am not sure how to fix those. As I have stated
before I think removing the unconfined domain is a mistake, I would much
rather be able to take the unconfined_domain privs away from initrc_t
and other unconfined domains and leave unconfined_t even for MLS
machines, when running as full administrator. Tools like rpm and dpkg,
firstboot are almost always going to need to be unconfined. file_trans
is what I was talking about. Making sure files created in /etc have the
right context. We can experiment with removing firstboot policy after
F10 is released, to make sure it does not cause any problems.
> firstboot is used to configure firewalls and things, being able to configure
> them as unconfined_t is desirable and probably necessary.
> From a high-level concept I can't imagine why you would want firstboot_t
> having any transition that unconfined_t lacks.
> In terms of reducing policy size (and therefore memory use and disk space),
> removing needless unconfined domains is the best thing to do.
> A recent change that I've made is removing unconfined_crond_t and making
> unconfined cron jobs run as unconfined_t.
> I'm also wondering whether any of the $1_crond_t domains actually do any good.
Fedora does not use $1_crond_t any longer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the refpolicy