On 08/23/2016 09:50 AM, Gary Tierney wrote: > On Tue, Aug 23, 2016 at 08:54:17AM -0400, Stephen Smalley wrote: >> On 08/22/2016 04:22 PM, Gary Tierney wrote: >>> From: Gary Tierney <selinux@xxxxxxxxxxxxx> >>> >>> Re-spin of my original patch that adds support for logins mapped using the >>> group %syntax to genhomedircon. This version includes fixes for the issues >>> raised by Jason and splits the bugfix into a separate commit. >>> >>> There was a bit of confusion about the MLS level, I think, since semanage-user >>> supports a default MLS level and not semanage-login. So it wouldn't be possible >>> for a login to have a more specific level than the fallback login in that case. >>> Though the bugfix still addresses an issue with home directories outside of >>> /home / LU_HOMEDIRCETORY and is required for the second commit. >> >> semanage login can set a more limited range for a Linux user than what >> is allowed for the SELinux user. Thus, you can have a single SELinux >> user that is authorized for a wider range but narrow its scope on a >> per-Linux-user basis via semanage login. >> >>> >>> Gary Tierney (2): >>> genhomedircon: generate contexts for logins mapped to the default user >>> genhomedircon: add support for %group syntax >>> >>> libsemanage/src/genhomedircon.c | 314 +++++++++++++++++++++++++++++++--------- >>> 1 file changed, 243 insertions(+), 71 deletions(-) >>> >> > > Yes, it's possible for a more specific range, and not level. Though, the > current behavior of genhomedircon is to replace any instance of "s0" with the > users (semanage-user) level. Should the range of the login be used here instead? > I'm unsure about this. That's true; that seems wrong to me but your patch didn't introduce it so it won't hold up merging of your patches. > Also, there's an identical v3 of this patch above to get rid of the erroneous > committer / signed-off-by / author information in this patch. Sorry about > that. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
