On Thu, 2007-01-25 at 06:57 -0500, Stephen Smalley wrote: > On Wed, 2007-01-24 at 16:37 -0500, Daniel J Walsh wrote: > > Currently you can run semanage/semodule at SystemLow and they end up > > creating files in /etc/selinux/mls/seusers and > > /etc/selinux/mls/policy/policy.21 at SystemLow. > > > > The system defaults say they should be at SystemHigh. I am not sure why > > they are specified at SystemHigh, but we either need to change the > > specification or lots of other files need to be moved to system high and > > perhaps only allow semanage to run at SystemHigh. > > > > Running semanage at SystemHigh, ends up creating a bunch of files at > > SystemHigh that should be SystemLow, also. So no easy fix. > > Running semanage/semodule at SystemLow and using range_transition to > transition the files to SystemHigh may work. But are they truly > SystemHigh in their data?
And what inputs to them are considered SystemHigh, as those files would need to be kept at SystemHigh as well? range_transition may be insufficiently granular if you want to keep some of the policy files at SystemLow and others at SystemHigh; we would need libsemanage to call matchpathcon() and setfscreatecon() on each file it creates. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
