On Fri, 2009-06-05 at 13:12 -0400, Christopher J. PeBenito wrote: > On Thu, 2009-06-04 at 15:13 -0400, Caleb Case wrote: > > On Wed, May 20, 2009 at 12:08 PM, Chad Sellers <csellers@xxxxxxxxxx> wrote: > > > On 5/18/09 2:16 PM, "Daniel J Walsh" <dwalsh@xxxxxxxxxx> wrote: > > > > > >> This patch adds context files for virtual_domain and virtual_image, > > >> these are both being used to locat the default context to be executed by > > >> svirt. > > >> > > >> I also included the subs patch which I submitted before. This patch > > >> allows us to substitute prefixes to matchpathcon. > > >> > > >> So we can say /export/home == /home > > >> > > >> and > > >> > > >> /web == /var/www > > > > > > I'm surprised that the subs patch didn't get much discussion before. Any > > > thoughts on this? Any worries that it might not meld well with the work > > > currently being done to integrate FCGlob? > > > > > > Thanks, > > > Chad > > > > > > > I don't think it will adversely affect FCGlob integration. > > > > It is going to make it harder to understand what a file will get labeled though. > > > > Might be useful for genhomedircon to generate a .subs file and for > > refpolicy to provide labeling on a selinux user basis for home > > directories: > > > > /root > > /home/unconfined_u > > /home/sysadm_u > > ... > > > > with a .subs: > > > > /home/bob /home/unconfined_u > > /home/sally /home/sysadm_u > > ... > > Substituting the entire home dir root, like Dan's example /export/home > == /home above, makes sense to me. However, I do not like the idea of > adding dummy file context entries to the policy like the above example > (/home/unconfined_u and /home/sysadm_u) to make substitution usable for > creating file contexts for individual home dirs. The purpose of genhomedircon is to create these types of entries. I don't think we want file contexts in the policy that aren't actually intended to be used. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
