Daniel J Walsh wrote: > On 12/07/2010 12:46 PM, m.roth at 5-cent.us wrote: >> Daniel J Walsh wrote: >>> On 12/07/2010 11:59 AM, Benjamin Franz wrote: >>>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote: <mvnch> >> What have you done for folks who have third-party software, either F/OSS >> or COTS, or in-house developed stuff, *none* of which was written with >> selinux in mind, and is *not* going to be rewritten any time soon? >> You've seen me on the selinux list, and I have yet to figure out why I see the >> complaints about contexts, since they *appear* to be temp files, and I >> don't know where they're located, or where the CGI scripts are that >> create them are, and *all* of it's got the added complexity that some of that >> are on NFS-mounted directories. > > We have attempted to work with them, setup default labeling for them > when we know about the problems, embarrass them when they say you need > to disable SELInux. Red Hat is working on new developer tools to help > third party developers work on RHEL systems. I am not sure what else I > can do to get them to work with the security systems in place on RHEL. Ok, it's good to know you are thinking about that. How 'bout a tool, point it at a directory, and it reports only the files/directories that are default, or break policy, or that *might* suggest where there's a problem (scripts in this directory will write default_t if they run anywhere but /here/ohly/, etc? mark