some fixes to allow user roles in targeted policy

Colin Walters walters at redhat.com
Mon Aug 16 14:06:14 UTC 2004


On Mon, 2004-08-16 at 08:56 -0400, Stephen Smalley wrote:

> > Fourth, the user domain needs access to user_home_dir_t:dir.
> 
> Should be $1_home_dir_t, right?

Actually that line can be scratched entirely, I think I just had the
user's home directory mislabled, obviously that part is broken.

> > The fifth issue is access to /dev/pts.  The comment above the patch
> > should explain things.  Is there a better solution here?
> 
> If you want any protection between users, you need the separate types on
> the ptys (and ttys). 

Modulo DAC, you mean.  I think in the targeted policy we're already
relying heavily on DAC for protection between users, and this isn't
really different.

> But as above, you are likely to increasingly find
> yourself transforming the targeted policy into the strict policy to
> achieve real separation, so why not just use the strict policy?

I just run targeted policy on my laptop to test it, and I wanted to test
my hacks to the OpenSSH patch.  I guess it seemed quicker to write a
patch to allow user creation in the targeted policy than to wait through
two relabels :)

It is a bit of a unique situation, so maybe it's not worth trying to
support user creation in the targeted policy.  I just thought I'd send
my hack along in case it was found useful.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040816/92726fe8/attachment.sig>


More information about the fedora-selinux-list mailing list