On 02/15/2010 07:27 PM, Scott Salley wrote: > I'm working on a set of patches to integrate Likewise Open (Active > Directory authentication for Unix/Linux/Mac) into Fedora/SELinux. > > > > I am having trouble defining how a user's home directory should be > handled. > > > > We don't place users directly in /home as the domain user account name > may conflict with an existing account. Instead, we use /home/%D/%U > where %D is the domain and %U is the user account. (We may have users > with the same account name in different domains.) > > > > I want to make sure that if users are joined while SELinux is not > enabled, and then SELinux is re-enabled, the files get the proper > contexts. > > > > Suggestions? I think that is problematic because of this file context specification in /etc/selinux/targeted/contexts/files/file_contexts.homedirs: /home/[^/]*/.+ guest_u:object_r:user_home_t:s0 That basically says label everything below /home/*/ with type user_home_t i believe. /home/[^/]* -d guest_u:object_r:user_home_dir_t:s0 This says label all directories below /home type user_home_dir_t i believe. You want /home/domain and /home/domain/* user_home_dir_t i believe. I think that would conflict with the current specification: i.e. should it label /home/*/* user_home_t or user_home_dir_t? If and when that imo fundamental issue is resolved it is just a matter of cloning the entries from /etc/selinux/targeted/contexts/files/file_contexts.homedirs i believe. I will be interested what others opinion is on this matter as i might be wrong. > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
