On Tue, 2008-07-29 at 22:20 +1000, Russell Coker wrote: > On Tuesday 29 July 2008 21:33, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Tue, 2008-07-29 at 18:50 +1000, Russell Coker wrote: > > > Currently we have the attributes user_home_dir_type and user_home_type > > > applied to the main types for the home directory of regular users in a > > > strict policy configuration (this means user_t etc). > > > > > > While it is possible to have unconfined_t and user_t on the same system, > > > I don't expect this to be a common configuration. In fact I expect that > > > in practice they will be mutually exclusive. > > > > Actually, it is a common situation in modern Fedora - they can map users > > they wish to confine to user_u (and thus to user_t) while leaving e.g. > > root as unconfined_u and thus unconfined_t. > > So what do they do for the "targeted" case where all users are unconfined_t > and they want to have POP/IMAP servers retrieve mail from the users' home > directories? Dan has no MAC-based home directory separations. All home dirs are user_home_dir_t in the Fedora policy. -- Chris PeBenito <pebenito@xxxxxxxxxx> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
Attachment:
signature.asc
Description: This is a digitally signed message part
