On Mo, 07.10.24 14:15, Alexander Bokovoy (abokovoy@xxxxxxxxxx) wrote: > > > https://github.com/fedora-selinux/selinux-policy/pull/939#issuecomment-1409217811 > > > No follow up happened on that, sadly. > > > > > > I do not see any work done on that yet. Without having SELinux support > > > properly integrated, I think enabling systemd-homed by default is > > > premature. > > > > > Actually selinux-policy has support for systemd-homed in F41 and F42 since > > Sep 24th. > > Thanks, though this is about the first part (selinux-policy allowing > systemd-homed to access its own default home directory), while the > github comment talks about drives that systemd-homed creates for user > homes. That part needs to be addressed in systemd-homed, if I understand > correctly, pretty much like we address labeling of auto-created home > directories in oddjob. I am pretty sure all files inside of a home dir should carry the same selinux label, identifying it as a user's file. Because everything else makes home directories unportable, because local system policy will leak into the homedirs. Moreover SELinux policy even if it wanted couldn#t really express fine-grained app policy, since it's a centralized thing, and we live in a world where apps are built and distributed outside fedora, with flatpak and stuff. The assumption that every app comes via fedora, and hence can come with selinux database/policy also shipped by fedora to match it is just unrealistic in today's world. There's an upstream issue about all this: https://github.com/systemd/systemd/issues/30580 It's kinda stuck, because the overlap of folks deeply interested in homed and deeply interested in selinux is kinda small to non-existing. Anyway, if all people want is to stick another "relabel" this call after we create a new homedir, i am fine with that, but this would be not be a full fix in my eyes. Lennart -- Lennart Poettering, Berlin -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
