From: Joshua Brindle <jbrindle@tresys.com>
To: gyurdiev@redhat.com
Cc: Daniel J Walsh <dwalsh@redhat.com>,
SELinux <selinux@tycho.nsa.gov>,
selinux-dev@tresys.com
Subject: Re: Restorecon script
Date: Fri, 10 Jun 2005 12:05:42 -0400 [thread overview]
Message-ID: <1118419542.366.8.camel@localhost> (raw)
In-Reply-To: <1118370767.30464.16.camel@localhost.localdomain>
On Thu, 2005-06-09 at 22:32 -0400, Ivan Gyurdiev wrote:
> > What problem is this solving?
>
> It is solving the problem of labeling things properly in /tmp and /home
> (according to recent policy changes,
relabeling at policy modification time is much better than automated
relabeling when a user logs in
> which I've been working on).
> This cannot be accomplished by either inheriting the parent's context,
> (because it's not the same), or by file_type_auto_trans, because of
> ambiguity - same type change rule matches multiple target types.
> You can see details of what I mean in the thread "file_type_auto_trans
> is not sufficient" on selinux@tycho.nsa.gov.
>
> It can be solved by setfscreate code in the application, but
> that's worse - intrusive code in multiple applications.
>
it can also be solved by properly structuring directories, either by
application configuration or if necessary modifying the application in a
much less intrusive way (this was mentioned on that thread I believe)
> Creating folders ahead of time is the most acceptable solution so far.
> I'm not sure how exactly this should be done, but some sort of simple
> script like this is one possibility.
>
scripts that install stuff to skel maybe should be responsible for
adding them to user dirs and labeling properly. This would be a trusted
app (rpm or whatever) instead of a user shell script
> > In general relabeling isn't something that
> > should be done without careful attention, especially when automated.
>
> I agree.
>
> > User home directories shouldn't have incorrect labels is care is taken
> > (ie, skel contains the directories you'd be relabeling anyway and they
> > are labeled correctly when the user is added).
>
> skel is populated when installing individual applications, and
> that doesn't fix the labels for existing users, only for newly
> created users. Also, that doesn't address /tmp.
> ==============
response above
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-06-10 16:10 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-09 14:41 Restorecon script Ivan Gyurdiev
2005-06-10 2:11 ` Joshua Brindle
2005-06-10 2:32 ` Ivan Gyurdiev
2005-06-10 13:52 ` Steve G
2005-06-10 18:04 ` Ivan Gyurdiev
2005-06-10 16:05 ` Joshua Brindle [this message]
2005-06-10 16:11 ` Stephen Smalley
2005-06-10 17:44 ` Karl MacMillan
2005-06-10 17:41 ` Stephen Smalley
2005-06-10 18:01 ` Ivan Gyurdiev
2005-06-10 18:06 ` Karl MacMillan
2005-06-10 18:04 ` Stephen Smalley
2005-06-10 18:59 ` Karl MacMillan
2005-06-10 18:21 ` Ivan Gyurdiev
2005-06-10 19:58 ` Karl MacMillan
2005-06-10 20:45 ` Ivan Gyurdiev
2005-06-10 21:05 ` Karl MacMillan
2005-06-10 21:47 ` Ivan Gyurdiev
2005-06-11 17:45 ` Karl MacMillan
2005-06-11 18:35 ` Ivan Gyurdiev
2005-06-10 20:18 ` Luke Kenneth Casson Leighton
2005-06-10 20:54 ` Ivan Gyurdiev
2005-06-10 21:05 ` Valdis.Kletnieks
2005-06-10 21:42 ` Luke Kenneth Casson Leighton
2005-06-10 21:03 ` Joshua Brindle
2005-06-10 21:30 ` Ivan Gyurdiev
2005-06-11 18:00 ` Karl MacMillan
2005-06-10 17:58 ` Ivan Gyurdiev
2005-06-10 18:19 ` Karl MacMillan
2005-06-10 18:31 ` Ivan Gyurdiev
2005-06-10 19:45 ` Karl MacMillan
2005-06-10 20:57 ` Ivan Gyurdiev
2005-06-10 21:09 ` Karl MacMillan
2005-06-10 20:26 ` Luke Kenneth Casson Leighton
2005-06-10 21:57 ` Ivan Gyurdiev
2005-06-10 22:11 ` Luke Kenneth Casson Leighton
2005-06-10 20:21 ` Luke Kenneth Casson Leighton
2005-06-11 0:09 ` Valdis.Kletnieks
2005-06-11 1:13 ` Casey Schaufler
2005-06-10 15:15 ` Stephen Smalley
2005-06-10 15:38 ` Stephen Smalley
2005-06-10 17:15 ` Ivan Gyurdiev
2005-06-10 17:12 ` Ivan Gyurdiev
2005-06-10 15:18 ` Stephen Smalley
2005-06-10 17:52 ` Ivan Gyurdiev
2005-06-10 20:23 ` Luke Kenneth Casson Leighton
2005-06-10 21:59 ` Ivan Gyurdiev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1118419542.366.8.camel@localhost \
--to=jbrindle@tresys.com \
--cc=dwalsh@redhat.com \
--cc=gyurdiev@redhat.com \
--cc=selinux-dev@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.