On 06/28/2016 01:12 PM, Daniel J Walsh wrote: > > > On 06/27/2016 02:04 AM, Miroslav Grepl wrote: >> Hi guys, >> I am finally looking for opened Atomic issues with SELinux for what we >> came with seatomic and I want to move it forward. My idea is we could >> start to ship selinux-policy-atomic.rpm based on the >> selinux-policy-targeted where we could reduce the number of types and >> add possible needed changes. >> >> For example >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1309075 >> >> is a good example. If we add a new label we will have an issue because >> we don't have "mac_admin" for unconfined_service_t. >> >> So we could start to discuss how it is possible to ship new policy on >> Atomic to solve these urgent issues. >> >> Can you think guys about a way how to do it? Can you identify possible >> issues with that? >> >> >> Thank you, >> > I guess we could ask is it important or not. The main reason to stop > unconfined processes > from having mac_admin is to stop typos when a user does something like > > chcon -t http_sys_content_t badexample.html > > Probably not something that will often be done on atomic platform. Other > option is to just have > install_t and install_exec_t and only give this to the domains that > atomic host uses for installing new versions > of policy. > > Handling docker and container context will be interesting, since we > could finally break away from badly named > types like svirt_lxc_net_t and svirt_sandbox_file_t. (container_net_t > and container_image_t?)
Yes and we can do that also with the current language. My point is we need to find a way how to replace the current selinux-policy-targeted.rpm on Atomic by a new selinux-policy-atomic.rpm as a first important step to get a new policy on Atomic. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
