diff options
| author | Sol Jerome <sol.jerome@gmail.com> | 2012-12-03 08:45:48 -0600 |
|---|---|---|
| committer | Sol Jerome <sol.jerome@gmail.com> | 2012-12-03 08:45:48 -0600 |
| commit | 41d1d29b8b545e0f636ebf26795eecd1a46bc9fb (patch) | |
| tree | ffed75712d123ef83c37484b618dbe4ff3171b34 /doc/server/selinux.txt | |
| parent | 10f815f1af1935bd76b7f75c5577c6f6197d706e (diff) | |
| download | bcfg2-41d1d29b8b545e0f636ebf26795eecd1a46bc9fb.tar.gz bcfg2-41d1d29b8b545e0f636ebf26795eecd1a46bc9fb.tar.bz2 bcfg2-41d1d29b8b545e0f636ebf26795eecd1a46bc9fb.zip | |
SELinux: Split up selinux entries
This commit splits up the all-in-one SELinux tag into various entries
(formerly done using a type attribute). This helps prevent ambiguation
when entries of different SELinux types have the same name.
Note that there is still some ambiguation for File Context entries since
there can be duplicates involved.
Signed-off-by: Sol Jerome <sol.jerome@gmail.com>
Diffstat (limited to 'doc/server/selinux.txt')
| -rw-r--r-- | doc/server/selinux.txt | 39 |
1 files changed, 4 insertions, 35 deletions
diff --git a/doc/server/selinux.txt b/doc/server/selinux.txt index e61a09002..9f54b0d68 100644 --- a/doc/server/selinux.txt +++ b/doc/server/selinux.txt @@ -135,47 +135,16 @@ will be considered extra, making ``selinux_baseline.py`` quite necessary. ``selinux_baseline.py`` writes a bundle to stdout that contains -``BoundSELinux`` entries for the appropriate SELinux entities. It -does this rather than separate Bundle/Rules files because of the -:ref:`server-selinux-duplicate-entries` problem. +``BoundSELinux`` entries for the appropriate SELinux entities. .. _server-selinux-duplicate-entries: Duplicate Entries ----------------- -In certain cases, it may be necessary to create multiple SELinux -entries with the same name. For instance, "root" is both an SELinux -user and an SELinux login record, so to manage both, you would have -the following in Bundler: - -.. code-block:: xml - - <SELinux name="root"/> - <SELinux name="root"/> - -And in Rules: - -.. code-block:: xml - - <SELinux type="login" selinuxuser="root" name="root"/> - <SELinux type="user" prefix="user" name="root" - roles="system_r sysadm_r user_r"/> - -But Rules has no way to tell which "root" is which, and you will get -errors. In these cases, it is necessary to use ``BoundSELinux`` tags -directly in Bundler. (See :ref:`boundentries` for more details on -bound entries.) For instance: - -.. code-block:: xml - - <BoundSELinux type="login" selinuxuser="root" name="root"/> - <BoundSELinux type="user" prefix="user" name="root" - roles="system_r sysadm_r user_r"/> - -It may also be necessary to use ``BoundSELinux`` tags if a single -fcontext needs two different SELinux types depending on whether it's a -symlink or a plain file. For instance: +It may be necessary to use `BoundSELinux` tags if a single fcontext +needs two different SELinux types depending on whether it's a symlink +or a plain file. For instance: .. code-block:: xml |