Juan Antonio Osorio
Juan Antonio Osorio
Ah! Linter found something
/gcbrun
Seems there are merge conflicts here. Anybody working on this still?
@wrabcak anybody from the team that can check this out? This is preventing us from using Udica in CI environments.
I don't have one handy right now, but this is how we were generating it https://github.com/JAORMX/selinuxd/blob/main/hack/ci/daemon-and-trace.sh#L48
@vmojzis I'm on PTO, but I'll provide a reproducer when I'm back. Or @jhrozek any chance you could look into this?
@wrabcak wouldn't applying a new SELinux policy require a container restart either way? thought you needed to set SELinux labels on process start.
> @JAORMX, there is a possibility to force label change during process runtime, but I don't know if it's possible for containers. Uhm...that might be an RFE then for the...
@bachradsusi are there any plans on having the semodule utilities be actual standalone library components? Currently they all depend on the binaries being there and that's not ideal. I'd much...
> The reason for using exec() on these tools is to allow policy admin to specify transitions to domains which are allowed to manage selinux, e.g. useradd doesn't need to...