On Sunday 05 July 2009 11:55:04 Paul Howarth wrote:
On Sun, 5 Jul 2009 11:36:05 +0100
"Daniel P. Berrange" berrange@redhat.com wrote:
- For ISO files, maybe there should be a new/special file context
which allows sharing between processes ... it would be explicit but it would allow sharing ... maybe something like "public_content_t".
There is already a label for read only guest images
system_u:object_r:svirt_image_t:s0
it shouldn't be much work for you to add a custom SELinux plugin that gives httpd_t access to content labelled svirt_image_t. Ask the fedora-selinux mailing list for assistance if needed
Couldn't an ISO image that's already public_content_t (or even public_content_rw_t) be left alone, as that type is already well-known and used for sharing this type of content by various means?
Yes, exactly my point.
I believe that changing any file context should not be done. Depend on the rules in the security policy or any added with semanage apply. And then let something like public_content_t and public_content_rw_t be OK too.
Mmmm, this makes so much sense that I think I will bugzilla this.
Gene