Tim wrote:
On Mon, 2007-06-11 at 14:07 -0400, Daniel J Walsh wrote:
If the setroubleshoot tells you to relabel a file/directory try it.
If it works then don't report a bug unless it returns.
So a bug, somewhere, but not with SELinux (it's denying as told to)?
In those cases where something does need a rule change, or special
contexts applied to some locations, who determines the master rules?
SELinux policy makers?
Yes, although often in consultation with the package maintainers.
The builder of the package that wants more than
it's getting?
Usually they will get what they want. Although we might suggest they
change the way the app works.
I mean that in the cases that aren't where a package should get rebuilt
to not want to do what it's being denied. That's obviously a bug with
those packages.
Denial messages can happen for a variety of reasons.
Badly written policy, (Mistakes in policy or code paths being crossed
policy writer did not know about it.)
Badly written App
User mis labeling
User changing the configuration and not fixing the labeling or
booleans. (ftp can be run in two ways anonymous ftp or access to users
home dirs. If you change the configuration you need to tell SELinux
about it.)
System becoming mislabeled (Upgrading from fc6-fc7)
You are being hacked