Make systemd_tmpfiles_t MLS trusted for lowering the level of files #1758
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Need to make systemd_tmpfiles_t MLS trusted for lowering the level of files as the domain needs to lower the levels of device files when mls is used.
Specifically, systemd_tmpfiles_t needs to lower the sensitivity level of /dev/fuse from s15 to s0.
Note that another way we could consider is to change the default sensitivity level of /dev/fuse from s0 to s15 so that the sensitivity level does not need to be lowered from s15 to s0 in the first place. However, the default sensitivity level of /dev/fuse was intentionally changed from s15 (mls_systemhigh) to s0 in the following commit before. So, I don't understand changing it back to s15 (mls_systemhigh) is a good idea.
/dev/fuse should be s0 not mls_high
105e85a