On Fri, 2004-03-05 at 12:18, Stephen Smalley wrote:
> On Wed, 2004-03-03 at 16:36, Karl MacMillan wrote:
> > Here is an updated version that writes all of the error messages to
> > stderr. There are 2 patches - the first is against the patch I sent
> > before and the other is the full version.
>
> The resulting file_contexts file maps /root entries to staff*_home_t
> rather than sysadm*_home_t. This is a general limitation of
> genhomedircon (not knowing which role to select when multiple ones are
> authorized), but the old one avoided the problem by skipping root and
> leaving the /root entries in the .fc files. Now, we could alter the
> ordering of roles for root in policy/users as a workaround; that
> shouldn't affect the default context as that is governed by
> /etc/security/default_contexts.

Our thinking was that root shouldn't be a special case and the ordering of the roles could take care of everything. I'm not clear why root should be labeled with sysadm*_home_t, though. Why not treat root like all of the other admins? Wouldn't labeling root with sysadm*_home_t make logging in as staff_r for root problematic (for example, when ssh logins are allowed for root).

Karl

-- 
Karl MacMillan
Tresys Technology
kmacmillan@tresys.com
http://www.tresys.com
(410) 290-1411 x134


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.