Re: use_ecryptfs_home_dirs boolean

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dne 15.11.2013 09:07, AndrewYang napsal(a):

Because Ecryptfs does not support xattr, so a variety of application control type under ecryptfs user home is replaced by ecryptfs_t. In the
serepolicy-3.12.1 version, The 'use_ecryptfs_home_dirs' Boolean control ecyprfs_t type under users encrypted directory. The Boolean control granularity is coarse, such as xserver, Mozilla, chrome applications setting policy, while related to the home user domain gives the
ecryptfs_t object to operate and manage permissions. In the configuration of the ecryptfs_t type to control encrypted user home directory method has following problems :

1> ecryptfs user home directory only ecryptfs_t type, can not be distinguished by type between different applications under the user home
directory, so that use_ecryptfs_home_dirs Boolean control permission is too big.

2> if user home directory add new applications, you will need to supplement the application policy of ecryptfs_t type, while not directly use the existing policy that is used under the unencrypted user home directory.

To solve these problems, I have a idea that we can use 'semanage fcontext' command to realize ecrytfs user home directory and unencrypted user home directory shared control policy.

Actually, using the ecryptfs user home directory is to operate the encrypted directory (/home/.ecryptfs/$USER_NAME/. Pravite) . The files under encrypted directory and ecryptfs mounted point directory (/home/$USER_NAME/) are one to one. With the following commands, the
ecryptfs user home directory (but filenames aren't be encrypted) can be labelled with the unencrypted user home directory security context.

# semanage fcontext -a -e /home/$USER_NAME /home/.ecryptfs/$USER_NAME/.Private
# restorecon -RFv /home/.ecryptfs/$USER_NAME/.Private
# restorecon -R -v /home/.ecryptfs/

The ecryptfs does not encrypt user home directory filenames and only encypted file contents case, this method can realize to use common user home directory policy, better than the existing 'user_ecryptfs_home_dirs' boolean control.


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
There is a story

https://bugzilla.redhat.com/show_bug.cgi?id=712048

ecryptfs-migrate-home
is supposed to run

# restorecon -R -v $HOME/$USER 
# semanage fcontext -a -e /home /home/.ecryptfs
# restorecon -R -v $HOME/.ecrypfs/$USER

before $HOME/.ecrypfs/$USER is created. So

$ matchpathcon /home/.ecryptfs/mgrepl
/home/.ecryptfs/mgrepl    unconfined_u:object_r:user_home_t:s0

$matchpathcon /home/mgrepl/.ecryptfs
/home/mgrepl/.ecryptfs	unconfined_u:object_r:ecryptfs_t:s0

is the labeling what is supposed to be.

Regards,
Miroslav
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux