some fixes to allow user roles in targeted policy
Colin Walters
walters at redhat.com
Mon Aug 16 14:06:14 UTC 2004
On Mon, 2004-08-16 at 08:56 -0400, Stephen Smalley wrote:
> > Fourth, the user domain needs access to user_home_dir_t:dir.
>
> Should be $1_home_dir_t, right?
Actually that line can be scratched entirely, I think I just had the
user's home directory mislabled, obviously that part is broken.
> > The fifth issue is access to /dev/pts. The comment above the patch
> > should explain things. Is there a better solution here?
>
> If you want any protection between users, you need the separate types on
> the ptys (and ttys).
Modulo DAC, you mean. I think in the targeted policy we're already
relying heavily on DAC for protection between users, and this isn't
really different.
> But as above, you are likely to increasingly find
> yourself transforming the targeted policy into the strict policy to
> achieve real separation, so why not just use the strict policy?
I just run targeted policy on my laptop to test it, and I wanted to test
my hacks to the OpenSSH patch. I guess it seemed quicker to write a
patch to allow user creation in the targeted policy than to wait through
two relabels :)
It is a bit of a unique situation, so maybe it's not worth trying to
support user creation in the targeted policy. I just thought I'd send
my hack along in case it was found useful.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040816/92726fe8/attachment.sig>
More information about the fedora-selinux-list
mailing list