Is there some reason why the context type of /usr/sbin/mock has reverted to bin_t in F9 from unconfined_notrans_exec_t in F8? The latter still seems to work OK for me in F9 and significantly reduces the number of spurious AVCs when using mock.
Paul.
On Sun, 2008-05-25 at 16:20 +0100, Paul Howarth wrote:
Is there some reason why the context type of /usr/sbin/mock has reverted to bin_t in F9 from unconfined_notrans_exec_t in F8? The latter still seems to work OK for me in F9 and significantly reduces the number of spurious AVCs when using mock.
I think Dan did it after reading some of my messages about getting livecd's to work. I've since reverted it on my local livecd building systems and just haven't told dan I think unconfined_notrans_exec_t is the right way to go after all...
Sorry, just still so much in progress with livecd and eventually mock...
Dan, I think leave it as notrans for now and eventually i'm going to want a custom mock/livecd type to be determined at a later date...
(at least that's my guess...)
-Eric
Eric Paris wrote:
On Sun, 2008-05-25 at 16:20 +0100, Paul Howarth wrote:
Is there some reason why the context type of /usr/sbin/mock has reverted to bin_t in F9 from unconfined_notrans_exec_t in F8? The latter still seems to work OK for me in F9 and significantly reduces the number of spurious AVCs when using mock.
I think Dan did it after reading some of my messages about getting livecd's to work. I've since reverted it on my local livecd building systems and just haven't told dan I think unconfined_notrans_exec_t is the right way to go after all...
Sorry, just still so much in progress with livecd and eventually mock...
Dan, I think leave it as notrans for now and eventually i'm going to want a custom mock/livecd type to be determined at a later date...
(at least that's my guess...)
-Eric
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I changed it back in -58, but I want to generate a mock file context with limited access to network for example.
Daniel J Walsh wrote:
Eric Paris wrote:
On Sun, 2008-05-25 at 16:20 +0100, Paul Howarth wrote:
Is there some reason why the context type of /usr/sbin/mock has reverted to bin_t in F9 from unconfined_notrans_exec_t in F8? The latter still seems to work OK for me in F9 and significantly reduces the number of spurious AVCs when using mock.
I think Dan did it after reading some of my messages about getting livecd's to work. I've since reverted it on my local livecd building systems and just haven't told dan I think unconfined_notrans_exec_t is the right way to go after all...
Sorry, just still so much in progress with livecd and eventually mock...
Dan, I think leave it as notrans for now and eventually i'm going to want a custom mock/livecd type to be determined at a later date...
(at least that's my guess...)
-Eric
I changed it back in -58, but I want to generate a mock file context with limited access to network for example.
Please make network access restrictions tunable by a boolean; I tend to leave network tests enabled in the packages I build locally in mock.
Paul.
Paul Howarth wrote:
Daniel J Walsh wrote:
Eric Paris wrote:
On Sun, 2008-05-25 at 16:20 +0100, Paul Howarth wrote:
Is there some reason why the context type of /usr/sbin/mock has reverted to bin_t in F9 from unconfined_notrans_exec_t in F8? The latter still seems to work OK for me in F9 and significantly reduces the number of spurious AVCs when using mock.
I think Dan did it after reading some of my messages about getting livecd's to work. I've since reverted it on my local livecd building systems and just haven't told dan I think unconfined_notrans_exec_t is the right way to go after all...
Sorry, just still so much in progress with livecd and eventually mock...
Dan, I think leave it as notrans for now and eventually i'm going to want a custom mock/livecd type to be determined at a later date...
(at least that's my guess...)
-Eric
I changed it back in -58, but I want to generate a mock file context with limited access to network for example.
Please make network access restrictions tunable by a boolean; I tend to leave network tests enabled in the packages I build locally in mock.
Paul.
Yes this would definitely be a tunable. I am just trying to think of ways we could protect the Fedora Infrastructure.
selinux@lists.fedoraproject.org