On Tue, 2005-04-12 at 14:10 -0400, Valdis.Kletnieks@xxxxxx wrote: > Running fedora-devel tree as of last night, and I'm hitting an oddness. > > Basic problem: I add a user to /etc/selinux/strict/users/local.users, > and at some later point I run 'make' in /etc/selinux/strict/src/policy. > After that, genhomedircon barfs because it sees lines like: > > /home/valdis -d valdis:object_r:staff_home_dir_t > > in contexts/files/file_contexts.homedirs. However, since it just built the > policy using the 'users' file from src/policy/users, that 'user valdis' > line isn't there, so the context is invalid.... > > Does src/policy/Makefile need a ruleset to regenerate its copy of the 'users' file? > > users: $(USERPATH)/system.users $(USERPATH)/local.users > cat $(USERPATH)/system.users $(USERPATH)/local.users > users > > (Actually, that won't work, as $(USERPATH)/system.users has a dependency > on $(USER_FILES), so a more sophisticated solution is needed... No, you don't want to pull in the locally customized users into the source tree or policy build; they are incorporated into the policy load automatically via sepol_genusers(3) by load_policy and /sbin/init. Hmm..we specifically disabled checking of file_contexts.homedirs by the setfiles -c validation performed by the policy Makefile, but then added it back again to genhomedircon for runtime updates. But that makes no sense, as the binary policy file doesn't have the user identities. Mea culpa. Option are 1) strip the setfiles -c validation from genhomedircon, or 2) have genhomedircon build a temporary binary policy file via genpolusers that includes the full set of user identities and apply setfiles -c using that file. -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
