Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: make install fails if any users are in local.users
From: Stephen Smalley <sds_at_tycho.nsa.gov>
Date: Wed, 16 Mar 2005 08:20:08 -0500
Actually, I'm not certain what the desired behavior for setfiles -c should be in this case. That option was introduced by Colin so that contexts from the file contexts configuration could be checked against a binary policy to ensure that any errors (e.g. undefined types) would be caught upon policy build rather than not showing up until runtime usage of file_contexts (e.g. by rpm, setfiles/restorecon, udev, etc). Since that time, the file_contexts.local and file_contexts.homedir support was introduced to allow local customization of file contexts and users without requiring policy sources. One question is whether setfiles -c should only validate the base file_contexts configuration (which no longer contains the home directory entries at all). If so, then we need to provide an interface to set which files are processed by matchpathcon_init(3). This seems appropriate to me, but would mean that e.g. a bug in genhomedircon that yields a corrupted file_contexts.homedir won't be noticed at policy build time. file_contexts.local definitely doesn't seem appropriate for validation upon policy build, as it is purely for local customizations. -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 16 Mar 2005 - 08:33:42 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |