On 06/27/2016 02:04 AM, Miroslav Grepl wrote:
Hi guys,
I am finally looking for opened Atomic issues with SELinux for what we
came with seatomic and I want to move it forward. My idea is we could
start to ship selinux-policy-atomic.rpm based on the
selinux-policy-targeted where we could reduce the number of types and
add possible needed changes.
For example
https://bugzilla.redhat.com/show_bug.cgi?id=1309075
is a good example. If we add a new label we will have an issue because
we don't have "mac_admin" for unconfined_service_t.
So we could start to discuss how it is possible to ship new policy on
Atomic to solve these urgent issues.
Can you think guys about a way how to do it? Can you identify possible
issues with that?
Thank you,
I guess we could ask is it important or not. The main reason to stop
unconfined processes
from having mac_admin is to stop typos when a user does something like
chcon -t http_sys_content_t badexample.html
Probably not something that will often be done on atomic platform. Other
option is to just have
install_t and install_exec_t and only give this to the domains that
atomic host uses for installing new versions
of policy.
Handling docker and container context will be interesting, since we
could finally break away from badly named
types like svirt_lxc_net_t and svirt_sandbox_file_t. (container_net_t
and container_image_t?)
