Stephen Smalley wrote: > On Fri, 2008-07-18 at 15:09 -0400, Joshua Brindle wrote: >> Stephen Smalley wrote: >>> On Fri, 2008-07-18 at 14:37 -0400, Joshua Brindle wrote: >>>> Stephen Smalley wrote: >>>>> In ancient days of yore, setfiles could only validate the base >>>>> file_contexts configuration because the .homedirs or .local >>>>> configurations might include local users that weren't defined by >>>>> the base policy since those definitions were brought in at policy >>>>> load time. These days the policy.N file contains all of the >>>>> definitions required to validate all file_contexts files and thus >>>>> setfiles can and should validate them. >>>>> >>>> >>>> I don't think that was the motivation. We want to explicitely >>>> support a user overriding a context specified in the policy with >>>> semanage and I think giving this cryptic warning is going to >>>> confuse people. For all other semanage objects we allow overriding >>>> the main policy with no warning, why would this be different? >>> >>> I actually went back through the mailing list archives, and the >>> reason I stated (inability to validate entries using >>> localusers) was the the motivation for baseonly validation in >>> setfiles -c. >>> >>> We've never supported users creating conflicting file contexts >>> entries with the base policy as far as I know. >>> We've always warned on this condition. >>> >>> I suppose we could alter that behavior but I'm not sure it will work >>> as expected at present; the logic in libselinux to move all exact >>> specs to the end could for example interfere with it. Or if we did >>> a full fcsort of file_contexts.local as has been suggested >>> elsewhere. And one could have dups within file_contexts.local >>> itself, which we can't presently distinguish from dups between base >>> and .local with the current logic. >>> >> >> All the same I think that a user overriding a policy file context >> should be explicitely supported. > > Patches accepted ;) So, your current patch is disabling this support altogether, right? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
