[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: genhomedircon flakyness



On Tue, 2005-04-12 at 14:10 -0400, Valdis Kletnieks vt edu wrote:
> Running fedora-devel tree as of last night, and I'm hitting an oddness.
> 
> Basic problem: I add a user to /etc/selinux/strict/users/local.users,
> and at some later point I run 'make' in /etc/selinux/strict/src/policy.
> After that, genhomedircon barfs because it sees lines like:
> 
> /home/valdis            -d      valdis:object_r:staff_home_dir_t
> 
> in contexts/files/file_contexts.homedirs.  However, since it just built the
> policy using the 'users' file from src/policy/users, that 'user valdis'
> line isn't there, so the context is invalid....
> 
> Does src/policy/Makefile need a ruleset to regenerate its copy of the 'users' file?
> 
> users: $(USERPATH)/system.users $(USERPATH)/local.users
> 	cat $(USERPATH)/system.users $(USERPATH)/local.users > users
> 
> (Actually, that won't work, as $(USERPATH)/system.users has a dependency
> on $(USER_FILES), so a more sophisticated solution is needed...

No, you don't want to pull in the locally customized users into the
source tree or policy build; they are incorporated into the policy load
automatically via sepol_genusers(3) by load_policy and /sbin/init.
Hmm..we specifically disabled checking of file_contexts.homedirs by the
setfiles -c validation performed by the policy Makefile, but then added
it back again to genhomedircon for runtime updates.  But that makes no
sense, as the binary policy file doesn't have the user identities.  Mea
culpa.  Option are 1) strip the setfiles -c validation from
genhomedircon, or 2) have genhomedircon build a temporary binary policy
file via genpolusers that includes the full set of user identities and
apply setfiles -c using that file.
  
-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]