serepolicy-3.12.1 version, The
'use_ecryptfs_home_dirs' Boolean control ecyprfs_t
type under users encrypted directory. The Boolean
control granularity is coarse, such as xserver,
Mozilla, chrome applications setting policy, while
related to the home user domain gives the
ecryptfs_t object to operate and manage permissions.
In the configuration of the ecryptfs_t type to control
encrypted user home directory method has following
problems :
1> ecryptfs user home directory only ecryptfs_t
type, can not be distinguished by type between
different applications under the user home
directory, so that use_ecryptfs_home_dirs Boolean
control permission is too big.
2> if user home directory add new applications,
you will need to supplement the application policy of
ecryptfs_t type, while not directly use the existing
policy that is used under the unencrypted user home
directory.
To solve these problems, I have a idea that we can
use 'semanage fcontext' command to realize ecrytfs
user home directory and unencrypted user home
directory shared control policy.
Actually, using the ecryptfs user home directory is
to operate the encrypted directory
(/home/.ecryptfs/$USER_NAME/. Pravite) . The files
under encrypted directory and ecryptfs mounted point
directory (/home/$USER_NAME/) are one to one. With the
following commands, the
ecryptfs user home directory (but filenames aren't be
encrypted) can be labelled with the unencrypted user
home directory security context.
# semanage fcontext -a -e /home/$USER_NAME
/home/.ecryptfs/$USER_NAME/.Private
# restorecon -RFv
/home/.ecryptfs/$USER_NAME/.Private
# restorecon -R -v /home/.ecryptfs/
The ecryptfs does
not encrypt user home directory filenames and only
encypted file contents case, this method can realize
to use common user home directory policy, better than
the existing 'user_ecryptfs_home_dirs' boolean
control.
