SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Policy questions This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Brian May <bam_at_snoopy.apana.org.au> Date: Sat, 27 Jul 2002 13:31:53 +1000 On Fri, Jul 26, 2002 at 03:38:42PM +0200, Russell Coker wrote: > Make relabel labels ~/public_html as system_u:object_r:user_home_html_t. > > I create a new subdirectory under my home directory and it gets > rjc:object_r:user_home_t. Then I rename some directories and I can relabel > the object from rjc:object_r:user_home_t to rjc:object_r:user_home_html_t. > > However, if the sysadm relabels the file system after I created the new > directory (either I created it before they installed SE Linux, or they felt a > need to relabel the file system) then the directory gets > system_u:object_r:user_home_t and I can't relabel it to > rjc:object_r:user_home_html_t! Is the problem here that you are trying to relabel system_u to rjc? > So if I made setfiles have special-case code for /home which searches for an > identity matching the sub-directory name and uses it as part of the label > then this problem would be solved. > > However Steve doesn't even want me to hack setfiles to know ANYTHING about > the format of a context string (he didn't like my patch to avoid needing > system_u:object_r as a prefix for every type). Personally, I don't like the idea of relabel touching the home directory. It seems to have some limitations: I want to setup a ~/untrusted directory on my account to allow downloads from netscape. The current policy allows me to do this. However, I don't want relabel to "fix" this. You still have the problem of initially creating the directories in the first place... Not everyone creates home directories under /home. Some ideas: Maybe have some sort of script that the user runs to initially setup the initial directories and labels for a given program (eg. user runs "setup netscape"). This script may need special relabel priviledges, if the user doesn't already have them. Have adduser automatically label files for new users using the new SE-Linux user it just created (hmmm... generic hooks into adduser might be ideal here). When initially installing selinux set all home directories the "best" defaults using some sort of hacked script, and tell system adminstrator to check that this is correct. Allow users to relabel there files to/from public_html, depending on local policy. Otherwise prevent users from renaming the ~/public_html directory (is this possible?). -- Brian May <bam@snoopy.apana.org.au> -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 26 Jul 2002 - 23:54:14 EDT This message: [ Message body ] Next message: Brian May: "Re: Policy questions" Previous message: Brian May: "Re: more thoughts on the ssh policy" In reply to: Russell Coker: "Re: Policy questions" Next in thread: Russell Coker: "Re: Policy questions" Reply: Russell Coker: "Re: Policy questions" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom