* fuse - how to "mirror" user_t file access rights?
@ 2004-09-27 1:21 Luke Kenneth Casson Leighton
2004-09-28 15:21 ` Russell Coker
0 siblings, 1 reply; 2+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-09-27 1:21 UTC (permalink / raw)
To: SE-Linux
hi,
does anyone have any ideas on how to mirror the exact same file
permissions as a user_t or sysadm_t or staff_t... in another domain?
i'm writing a policy for a fuse program (fusexmp) and yes i'm also
modifying the fuse kernel module to support xattrs.
the issue is as follows:
- a macro similar to mount_domain called fusexmp_domain creates a domain
$2_fusexmp_t from its argument e.g. user -> user_fusexmp_t.
- user_t running the fusexmp_exec_t program causes a domain_auto_trans
into user_fusexmp_t.
- any user file access on, say /Documents/foo will result in
/usr/bin/fusexmp doing a corresponding file access on
/home/yourusername/foo...
... but as explained above, this access is done in the
user_fusexmp_t domain
i found the privhome domain thing but russell said "no way!"
because privhome allows access to *alll* user domains.
does anyone know if there is a half-way-house that i can use,
which will grant access to just the given user's files and
directories, as if it was that user doing the access?
ta,
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: fuse - how to "mirror" user_t file access rights?
2004-09-27 1:21 fuse - how to "mirror" user_t file access rights? Luke Kenneth Casson Leighton
@ 2004-09-28 15:21 ` Russell Coker
0 siblings, 0 replies; 2+ messages in thread
From: Russell Coker @ 2004-09-28 15:21 UTC (permalink / raw)
To: Luke Kenneth Casson Leighton; +Cc: SE-Linux
On Mon, 27 Sep 2004 11:21, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> i found the privhome domain thing but russell said "no way!"
> because privhome allows access to *alll* user domains.
file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
To do this properly we need an attribute that matches all the other file types
for the user, I'll work on that later.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-09-28 15:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-27 1:21 fuse - how to "mirror" user_t file access rights? Luke Kenneth Casson Leighton
2004-09-28 15:21 ` Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.