On 09/23/2016 04:28 PM, Gary Tierney wrote: > This patch implements support for policies using RBACSEP in genhomedircon. It > works by using an SELinux users "prefix" as the role in their homedir contexts. > It seems that genhomedircon has previously supported something similar, as it'll You are referring to the old "privsep" model. This is indeed no longer used AFAIK. > currently replace the string "ROLE" with whatever a users prefix is. However, > if using CIL we can't leverage this, since secilc will complain about the > semantics of an invalid role named "ROLE" in a filecon statement. > > Since there's no way for a CIL policy to tell genhomedircon whether a role should > be replaced or not, a new "genhomedircon-rbacsep" option was added to > /etc/selinux/semanage.conf. > > I'm not convinced that this is the best way to go about this. Maybe an initial > role can be implicitly figured out using libsepol's API? Anyway, I've submitted > this to see if there's any better options for supporting RBACSEP in home dir > context generation. > > There was some previous discussion about this here for reference: > http://oss.tresys.com/pipermail/refpolicy/2011-August/004417.html > > Gary Tierney (1): > genhomedircon: support policies using RBACSEP > > libsemanage/src/conf-parse.y | 14 +++++++++++++- > libsemanage/src/conf-scan.l | 1 + > libsemanage/src/genhomedircon.c | 30 +++++++++++++++++++++++++++++- > libsemanage/src/semanage_conf.h | 1 + > 4 files changed, 44 insertions(+), 2 deletions(-) > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
