-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Policy should label /root with one label and this should not be effected by the passwd database. In Fedora policy we label this as admin_home_t. Having this label vary depending on policy ends up with lines like dontaudit * user_home_t:dir search_dir_perms dontaudit * admin_home_t:dir search_dir_perms dontaudit * sysadmin_home_t:dir search_dir_perms dontaudit * staff_home_t:dir search_dir_perms Labeling this directory as user_home_t, opens the system to possible security risks since some domains have to be able to write to user_home_t when they would never be allowed to write to admin_home_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklslqMACgkQrlYvE4MpobPY/ACdHitHOeU+c77VVePxkkTpmSsw M2gAoJxZPlUKHJ3cL0zIb8fuHMq5VSRz =LmKq -----END PGP SIGNATURE-----
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.30/src/genhomedircon.c
--- nsalibsemanage/src/genhomedircon.c 2008-08-28 09:34:24.000000000 -0400
+++ libsemanage-2.0.30/src/genhomedircon.c 2009-01-12 10:29:24.000000000 -0500
@@ -794,6 +792,12 @@
* /root */
continue;
}
+ if (strcmp(pwent->pw_dir, "/root") == 0) {
+ /* don't relabel / genhomdircon checked to see if root
+ * was the user and if so, set his home directory to
+ * /root */
+ continue;
+ }
if (push_user_entry(&head, name, seuname,
prefix, pwent->pw_dir) != STATUS_SUCCESS) {
*errors = STATUS_ERR;
Attachment:
libsemanage-root.patch.sig
Description: Binary data
