some fixes to allow user roles in targeted policy
Colin Walters
walters at redhat.com
Sat Aug 14 18:19:06 UTC 2004
Hi,
I'm trying to create a restricted user domain with the targeted policy,
e.g.:
full_user_role(test)
This turned up quite a number of issues.
First, I had to suck in user.te from the strict policy to get the
booleans. I stripped it down to just the essentials; it may make sense
to add some of it back.
Secondly, unconfined_t isn't completely unconfined; in particular it
can't transition to arbitrary domains. So sshd (which runs as
unconfined_t) can't enter the new user domain. So I added a bit to
full_user_role which allows unconfined_t to transition to new user
domains (via a shell) in the targeted policy.
Third, there were a few missing ifdefs (likely applicable in strict
policy too).
Fourth, the user domain needs access to user_home_dir_t:dir.
The fifth issue is access to /dev/pts. The comment above the patch
should explain things. Is there a better solution here?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: targeted-users.patch
Type: text/x-patch
Size: 3970 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040814/75167b9b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040814/75167b9b/attachment.sig>
More information about the fedora-selinux-list
mailing list