On Tue, 26 Oct 2004 07:31, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> OK, what do you guys think about the following patch:
> It adds an attribute $1_domain_file_type, so all file types from derived
> user domains can be grouped together. It also adds a restorecon_domain()
> macro, so users can call restorecon to reset the labels on their files.

I've attached a patch named "tom.diff" which applies after your patch to tweak 
a few things.  The new attribute allows a better way of dealing with the 
locate policy so I changed it appropriately.  I added some use of 
sysadm_domain_file_type.  Some of the types you had given the attribute 
$1_domain_file_type seemed inappropriate, this includes the print spool type, 
some temporary files, and files under /var/run.

Whether we have the user_restorecon_t domain etc is something that needs more 
consideration.  The attached patch named "diff" has the user_domain_file_type 
stuff from your patch with my amendments but none of the restorecon changes.  
I think that "diff" is worthy of being included in CVS regardless of what we 
do with restorecon.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page