Anton Arapov wrote: > On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote: > >> Anton Arapov wrote: >> >>
Anton, I'm pretty sure it's fine for applications to be ensuring that contexts are set right, so the earlier things seem fine to me, though it also seems that we would be better served having a SELinux policy written for koan, and having that shipped with koan (and possibly installed by the RPM -- or providing instructions for it do so). Perhaps we can follow that tactic instead? This would have the benefit of also being able to move koan out of being unconfined, which may actually /improve/ security in a few regards (except of course koan's there to reinstall your system if you use --replace-self so it's a bit illusory to assume that's why we're doing it). The policy would need to be very open ended because koan can install files with it's --update-files feature and also manipulate grub? Does that make sense? --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
