On 07/24/2016 12:27 AM, Gary Tierney wrote: > Hi, > > There are a few issues I've run into with genhomedircon and a custom policy > (i.e., not based on refpolicy), 2 of which prevent me from using genhomedircon, > and 1 small issue which I can work around. > > The first main issue is that my custom policy doesn't use "system_u" as the > system user identifier (instead it is "sys.id"). So when genhomedircon writes > out contexts for my login they are still associated with sys.id because > genhomedircon only does a simple search and replace for the default refpolicy > system user identifier "system_u". I had look at existing contexts in > homedir_templates for refpolicy, fedora-selinux and the custom policy I'm using > and it seems like it'd be safe enough to replace the SELinux user in all the > HOMEDIR and USER context specifications regardless of if it matches "system_u". > Would this be a reasonable approach? > > The second issue is RBACSEP in my policy. There's currently no way for > genhomedircon to know which role to associate with a logins file context specs > if RBACSEP is used. I noticed that genhomedircon will replace "ROLE" in context > specs with whatever the SELinux users prefix is so I've currently hacked > genhomedircon.c to replace the role in each context with whatever the users > prefix is and have some policy like this: > > (in wheel > (tunableif enable_rbacsep > (true > (userprefix id wheel.role)))) > > This makes sure all logins associated with wheel.id get a role of "wheel.role" > in their generated context specs. This seems like a bit of a hack since > historically the users prefix has been used for a prefix in a type identifier. > Any suggestions on how this should be handled? > > The third and smallest issue is that semanage-login supports login identifiers > with the %groupname format but genhomedircon doesn't expand them to the groups > members. I currently expand groups to their members in genhomedircon and treat > a user belonging to 2 groups listed in seusers as an error. Would a patch be > accepted for this functionality? > > Thanks, > Gary. > Gary thank you. I have been wanting the above for quite some time. From a code perspective i cannot give much feedback/comments, but i surface tested this patch and all 3 features seem to work as advertised. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
