From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Joshua Brindle <jbrindle@tresys.com>,
Todd Miller <tmiller@tresys.com>,
selinux@tycho.nsa.gov
Subject: RE: [patch 0/4] libsemanage: genhomedircon replacement
Date: Fri, 17 Aug 2007 09:31:10 -0400 [thread overview]
Message-ID: <1187357470.9435.12.camel@localhost.localdomain> (raw)
In-Reply-To: <1187280118.909.22.camel@moss-spartans.epoch.ncsc.mil>
On Thu, 2007-08-16 at 12:01 -0400, Stephen Smalley wrote:
> On Wed, 2007-08-15 at 17:09 -0400, Karl MacMillan wrote:
> > On Wed, 2007-08-15 at 16:47 -0400, Joshua Brindle wrote:
[...]
>
> I guess I'm confused. genhomedircon has been present in upstream
> selinux for some time, so we can't just remove it without providing
> equivalent functionality.
>
Well - it would have to be coordinated with policy updates. I guess I'd
be fine with providing a way to optionally run it.
> Not generating per-role types can be done by shipping a homedir_template
> with no "macros" (ROLE).
>
> It doesn't actually walk all users, does it?
Not the current version.
> Just ones that have
> explicit entries in seusers (everyone else falling back to the default
> and having their home directories labeled with the base set of home
> directory types for user_t).
>
I'm still concerned about the number of calls out to a directory for a
large seusers file and eventually I want to push the seusers mapping
into the directory as well.
I'm also thinking about when we finally have labeled, remote home
directories. Each system trying to label home directories based on its
view of the default role for a user is going to break horribly.
> So what's the real problem with leaving it intact, and just changing
> your usage if you don't want per-role home directory types.
>
If it can be completely disabled that's fine (this is assuming that Dan
wants to make this change on home directory labeling). What I'm really
pushing for is reconsidering whether the current practice makes sense
and considering the problems that it causes. I'm probably go about this
the wrong way as there hasn't been much discussion on that point.
As I'm trying to make user home directories work in a typical remote
homedir / directory setting I would like to get the defaults changed
sooner so that when that support finally shows up we are ready.
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-08-17 13:31 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-15 20:44 [patch 0/4] libsemanage: genhomedircon replacement tmiller
2007-08-15 15:10 ` Karl MacMillan
2007-08-15 15:29 ` Joshua Brindle
2007-08-15 15:47 ` Karl MacMillan
2007-08-15 15:57 ` Joshua Brindle
2007-08-15 17:22 ` Stephen Smalley
2007-08-15 17:37 ` Joshua Brindle
2007-08-15 19:21 ` Karl MacMillan
2007-08-15 19:16 ` Karl MacMillan
2007-08-15 19:56 ` Stephen Smalley
2007-08-15 20:17 ` Karl MacMillan
2007-08-15 20:31 ` Stephen Smalley
2007-08-15 20:41 ` Karl MacMillan
2007-08-15 20:47 ` Joshua Brindle
2007-08-15 21:09 ` Karl MacMillan
2007-08-15 21:12 ` Joshua Brindle
2007-08-15 21:40 ` Joshua Brindle
2007-08-17 13:33 ` Karl MacMillan
2007-08-16 16:01 ` Stephen Smalley
2007-08-17 13:31 ` Karl MacMillan [this message]
2007-08-17 18:20 ` Joshua Brindle
2007-08-27 17:50 ` Daniel J Walsh
2007-08-28 14:21 ` Joshua Brindle
2007-08-28 14:30 ` Stephen Smalley
2007-08-28 14:46 ` Karl MacMillan
2007-08-28 16:37 ` Daniel J Walsh
2007-09-06 18:51 ` Stephen Smalley
2007-09-06 18:56 ` Karl MacMillan
2007-09-06 20:33 ` Daniel J Walsh
2007-09-07 13:48 ` Karl MacMillan
2007-08-15 20:44 ` Joshua Brindle
2007-08-15 20:44 ` [patch 1/4] libsemanage: genhomedircon initial cleanup tmiller
2007-08-15 20:44 ` [patch 2/4] libsemanage: genhomedircon replacement tmiller
2007-08-16 19:31 ` Stephen Smalley
2007-08-15 20:44 ` [patch 3/4] libsemanage: test functions tmiller
2007-08-15 20:44 ` [patch 4/4] libsemanage: remove genhomedircon python script tmiller
-- strict thread matches above, loose matches on Subject: below --
2007-09-06 19:16 [patch 0/4] libsemanage: genhomedircon replacement Todd C. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1187357470.9435.12.camel@localhost.localdomain \
--to=kmacmillan@mentalrootkit.com \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=tmiller@tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.