On Mon, 2011-07-04 at 20:22 +0800, Benedict S wrote: > The manpage of semanage says that "SELinux Prefix.Prefix added to home_dir_t > and home_t for labeling users home directories.",but i don't know how to use > it .Is there anyone to help me? thanks. This option was used for rbacsep and is no longer applicable. You can use "-P user" for all your SELinux users. rbacsep support was dropped from reference policy a while ago and a new functionality called ubac was introduced instead. However Fedora decided to disable the ubac functionality by default. Basically the old rbacsep and the new ubac allows for the separation of the various SELinux users. The way rbacsep would do that was to allow you to define user prefixes, So for example a prefix for a myuser_u SELinux user could be myuser, then the user home dir types would be prefixed (/home/myuser -> myuser_home_dir_t, instead of user_home_dir_t) and user home content would be labelled myuser_home_t (instead of user_home_t) That would allow one to define policy based on these types. For example myuser_u can access myuser_home_dir_t but not youruser_home_dir_t. So separation of SELinux users home spaces by using type enforcement. Ubac allows for similar separation ( and more ) by using the SELinux user identity field (first field in the security context tuple) instead of using type enforcement to achieve this it uses policy constraints (policy constraints are also used for MLS and MCS) basically the way this works is by comparing the first field of the security context of the source of an interaction to the first field of the security context of an targeting in an interaction. so: myuser_u:myuser_r:myuser_t:s0 can read myuser_u:object_r:user_home_t:s0 files, but not youruser_u:object_r:user_home_t:s0 files. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux