-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Policy should label /root with one label and this should not be
>>>> effected
>>>> by the passwd database.
>>>>
>>>> In Fedora policy we label this as admin_home_t. Having this label vary
>>>> depending on policy ends up with lines like
>>>>
>>>> dontaudit * user_home_t:dir search_dir_perms
>>>> dontaudit * admin_home_t:dir search_dir_perms
>>>> dontaudit * sysadmin_home_t:dir search_dir_perms
>>>> dontaudit * staff_home_t:dir search_dir_perms
>>>>
>>>> Labeling this directory as user_home_t, opens the system to possible
>>>> security risks since some domains have to be able to write to
>>>> user_home_t when they would never be allowed to write to admin_home_t.
>>> The comment right above the added lines seems to indicate that was
>>> suppose to be root before, why is / excluded? Are we going to start a
>>> huge whitelist for genhomedircon?
>>>
>>> if (strcmp(pwent->pw_dir, "/") == 0) {
>>> /* don't relabel / genhomdircon checked to see
>>> if root
>>> * was the user and if so, set his home
>>> directory to
>>> * /root */
>>> continue;
>>> }
>> No just /root
>>
>> /root should not be labeled based on genhomedircon.
>>
>
> Why are the exact same lines there for "/" then?
>
>
Well I guess we do want to protect / and /root.
Others should be fixed by looking at the parent, so if I added /var as a
homedir it would blow up saying it conflicts with the previous
definition of /var.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmbIJEACgkQrlYvE4MpobOMKwCfQ0ucpjUpGQJ4tDTN3zZTMWoH
OPYAnjP/3JCDijP93ubH9+cCKzJa+vJm
=eAyd
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
