[refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t

Dominick Grift dominick.grift at gmail.com
Thu Sep 13 11:09:28 CDT 2012



On Thu, 2012-09-13 at 11:36 -0400, Daniel J Walsh wrote:
> On 09/12/2012 12:49 PM, Dominick Grift wrote:
> > 
> > 
> > On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
> >> From: Laurent Bigonville <bigon at bigon.be>
> >> 
> >> mdadm is now creating map file under /run/mdadm/map --- raid.fc |    1 + 
> >> 1 file changed, 1 insertion(+)
> >> 
> >> diff --git a/raid.fc b/raid.fc index ed9c70d..e3c8bfb 100644 ---
> >> a/raid.fc +++ b/raid.fc @@ -4,3 +4,4 @@ /sbin/mdmpd		--
> >> gen_context(system_u:object_r:mdadm_exec_t,s0)
> >> 
> >> /var/run/mdadm(/.*)?		gen_context(system_u:object_r:mdadm_var_run_t,s0) 
> >> +/var/run/mdadm/map	--	gen_context(system_u:object_r:mdadm_map_t,s0)
> > 
> > I think its probably best to drop mdadm_map_t and make it an alias of 
> > mdadm_var_run_t instead
> > 
> > I have some changes from both myself and fedora for raid module in the 
> > pipeline.
> > 
> > It sucks though because both fedora as well as refpolicy made mdadm_t a 
> > unconfined type. That basically makes it almost impossible for us to 
> > develop it further and receive feedback on it.
> > 
> > _______________________________________________ refpolicy mailing list 
> > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> Dominick lets turn that off in Rawhide.
> 

That is a good idea. I would like to hear pebenito' opinion about
removing it in refpolicy as well.

what caused refpolicy to make mdadm_t a unconfined domain in the first
place?




More information about the refpolicy mailing list