Hello Dear Experts,
First in my environment I am not allowed to ship python, so I can't
use wonderful tool semanage.
I admit that I am bit confused (&intimidated) by so many files to
manage that constitutes SELinux configuration.
Are files /etc/selinux/$P/users/local.users & system.users required
for proper functioning of SELinux user-space libraries? Or user/roles
defined in policy definitions sufficient?
I looked at the latest libselinux code it still has code to use
local.users but didn't see code that actually uses system.users, Aksi
reference policy make install also installs these files.
However in the the mailing list I have seen references back in
2005/2006 that these files are deprecated? The latest pdf file that
was mailed out recently also has reference to local.users but not to
system.users.
If system.users file is still valid which definition then takes the
precedence and doesn't this expose a security hole that someone can
change user role after the policy was generated?
In my policy definitions I am defining a new user diags_u, type
diags_t and role diags_r, essentially following statements in
policy.conf (through macros etc)
type diags_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
role diags_r types diags_t;
user diags_u roles { diags_r };
Is that sufficient? fwiw, I have been able to transition to
diags_u:diags_r:diags_t context using the newrole command, when using
policy that contains above statements.
-Sam
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
