On Fri, 2008-07-18 at 15:09 -0400, Joshua Brindle wrote: > Stephen Smalley wrote: > > On Fri, 2008-07-18 at 14:37 -0400, Joshua Brindle wrote: > >> Stephen Smalley wrote: > >>> In ancient days of yore, setfiles could only validate the base > >>> file_contexts configuration because the .homedirs or .local > >>> configurations might include local users that weren't defined by the > >>> base policy since those definitions were brought in at policy load > >>> time. These days the policy.N file contains all of the definitions > >>> required to validate all file_contexts files and thus setfiles can > >>> and should validate them. > >>> > >> > >> I don't think that was the motivation. We want to explicitely support > >> a user overriding a context specified in the policy with semanage and > >> I think giving this cryptic warning is going to confuse people. For > >> all other semanage objects we allow overriding the main policy with > >> no warning, why would this be different? > > > > I actually went back through the mailing list archives, and > > the reason I stated (inability to validate entries using > > localusers) was the the motivation for baseonly validation in > > setfiles -c. > > > > We've never supported users creating conflicting file > > contexts entries with the base policy as far as I know. > > We've always warned on this condition. > > > > I suppose we could alter that behavior but I'm not sure it > > will work as expected at present; the logic in libselinux to > > move all exact specs to the end could for example interfere > > with it. Or if we did a full fcsort of file_contexts.local > > as has been suggested elsewhere. And one could have dups > > within file_contexts.local itself, which we can't presently > > distinguish from dups between base and .local with the current logic. > > > > All the same I think that a user overriding a policy file context should > be explicitely supported. Patches accepted ;) -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
