Re: strawman proposal: homed directories for users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Няд, 06 кас 2024, Zbigniew Jędrzejewski-Szmek wrote:
On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote:
Can we move systemd-homed configuration and activation into something
that could be explicitly enabled by the administrators? Whether this is
done during installation or post, it still would need to be a concious
step made by admins.

It can be enabled and disabled. Nevertheless, having it enabled seems
to e a good default. If there are no homed users defined, it should
just hang in the background doing nothing. (Though maybe it could exit
after being started. I'll try to look into this.)

Any SELinux denials will have to be fixed anyway. So this is not an
argument for disabling it.

Sure, it does need to be fixed. However, I think it is a signal that
systemd-homed is not really in use across Fedora community. The original
SELinux issue was opened in 2021, against Fedora 35:
https://bugzilla.redhat.com/show_bug.cgi?id=2036108

Since that time multiple people tried to get SELinux policy developed
and merged upstream and none happened until we re-raised its importance
from OpenQA failures for FreeIPA. So SELinux policy changes would come
but this is not enough.

A question was raised in 2023 by mattdm about systemd-homed support of
SELinux on newly created homes as somebody commented that systemd-homed
does not support proper labeling of the homes:
https://github.com/fedora-selinux/selinux-policy/pull/939#issuecomment-1409217811
No follow up happened on that, sadly.

I do not see any work done on that yet. Without having SELinux support
properly integrated, I think enabling systemd-homed by default is
premature.

Could you please make sure this is addressed by systemd-homed through
upstream?


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux