On Tue, Feb 2, 2016 at 4:03 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
I think we would provide backward compatibility for the existing tokens, at least for some time. As far as I know, we only need to modify the refpolicy build process and libsemanage to support the new tokens.On 02/02/2016 01:26 AM, Jason Zaman wrote:
On Mon, Feb 01, 2016 at 02:30:37PM -0500, Stephen Smalley wrote:
On 02/01/2016 04:36 AM, Jason Zaman wrote:
Hi all,
XDG_RUNTIME_DIR is usually /run/user/$UID but there is no way to label
that in an fcontext file. It used to be /run/user/USER which is easy but
not UID.
What template keyword should be used for such an entry? UID? USERID?
USERID is perhaps more obvious but has to be replaced before USER but
that should be doable.
https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L76
UID does not conflict with USER but this line exists in refpol which
is problematic:
contrib/fetchmail.fc:13:/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
This could also be used for several fcontexts in kerberos. It stores the
tickets in /tmp/krbcc_UID for example.
If we choose a template name I can put together a patch to add it.
No strong preferences from me on the particular name, e.g. USERID is
fine. I think it highlights however the problems with the current
approach; maybe we ought to be using ${USER} and ${UID} in .fc files
instead?
Yes there are definitely problems but fixing would mean refpol and
probably a lot of other things would need to be updated at the same
time.
HOME_DIR and HOME_ROOT are not really problems since they are only
allowed in the beginning of an fcontext line and other lines start with
a /.
USER, USERID, and possibly other things in future (GROUP, GROUPID?) can
appear at any point in the the line so a more unique token might be
better. %USERID might be better than $USERID since thats a thing in
shells.
If we do go down this path, what are the steps? and what tokens do we
want?
You need a way to mark the end of the token, either %USERID% or %{USERID}.
After reading this thread, I was wondering: should a way of escaping placeholders be documented somewhere? For example, if I ever encounter a file with "%USERID" in its name, I would use "[%]USERID" in the file context pattern to give it a label. I find this quite hackish and I may have missed a better way of handling it. Where are such things usually documented?
By the way, on systems running systemd, /run/user/$UID is a tmpfs mountpoint which would be relabeled by systemd-logind right after it is created (using lsetfiecon with the label defined in the policy), but a piece of code is missing to enable this on Arch Linux and Debian. I reported this on https://github.com/systemd/systemd/pull/2508 .
Nicolas
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
