Stephen Smalley wrote: > On Fri, 2008-07-18 at 14:37 -0400, Joshua Brindle wrote: >> Stephen Smalley wrote: >>> In ancient days of yore, setfiles could only validate the base >>> file_contexts configuration because the .homedirs or .local >>> configurations might include local users that weren't defined by the >>> base policy since those definitions were brought in at policy load >>> time. These days the policy.N file contains all of the definitions >>> required to validate all file_contexts files and thus setfiles can >>> and should validate them. >>> >> >> I don't think that was the motivation. We want to explicitely support >> a user overriding a context specified in the policy with semanage and >> I think giving this cryptic warning is going to confuse people. For >> all other semanage objects we allow overriding the main policy with >> no warning, why would this be different? > > I actually went back through the mailing list archives, and > the reason I stated (inability to validate entries using > localusers) was the the motivation for baseonly validation in > setfiles -c. > > We've never supported users creating conflicting file > contexts entries with the base policy as far as I know. > We've always warned on this condition. > > I suppose we could alter that behavior but I'm not sure it > will work as expected at present; the logic in libselinux to > move all exact specs to the end could for example interfere > with it. Or if we did a full fcsort of file_contexts.local > as has been suggested elsewhere. And one could have dups > within file_contexts.local itself, which we can't presently > distinguish from dups between base and .local with the current logic. > All the same I think that a user overriding a policy file context should be explicitely supported. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
