fuse - how to "mirror" user_t file access rights?

All of lore.kernel.org
 help / color / mirror / Atom feed

* fuse - how to "mirror" user_t file access rights?
@ 2004-09-27  1:21 Luke Kenneth Casson Leighton
  2004-09-28 15:21 ` Russell Coker
  0 siblings, 1 reply; 2+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-09-27  1:21 UTC (permalink / raw)
  To: SE-Linux

hi,

does anyone have any ideas on how to mirror the exact same file
permissions as a user_t or sysadm_t or staff_t... in another domain?

i'm writing a policy for a fuse program (fusexmp) and yes i'm also
modifying the fuse kernel module to support xattrs.

the issue is as follows:

- a macro similar to mount_domain called fusexmp_domain creates a domain
  $2_fusexmp_t from its argument e.g. user -> user_fusexmp_t.

- user_t running the fusexmp_exec_t program causes a domain_auto_trans
  into user_fusexmp_t.

- any user file access on, say /Documents/foo will result in
  /usr/bin/fusexmp doing a corresponding file access on
  /home/yourusername/foo...

  ... but as explained above, this access is done in the
  user_fusexmp_t domain

i found the privhome domain thing but russell said "no way!"
because privhome allows access to *alll* user domains.

does anyone know if there is a half-way-house that i can use,
which will grant access to just the given user's files and
directories, as if it was that user doing the access?

ta,

l.

--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: fuse - how to "mirror" user_t file access rights?
  2004-09-27  1:21 fuse - how to "mirror" user_t file access rights? Luke Kenneth Casson Leighton
@ 2004-09-28 15:21 ` Russell Coker
  0 siblings, 0 replies; 2+ messages in thread
From: Russell Coker @ 2004-09-28 15:21 UTC (permalink / raw)
  To: Luke Kenneth Casson Leighton; +Cc: SE-Linux

On Mon, 27 Sep 2004 11:21, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> i found the privhome domain thing but russell said "no way!"
> because privhome allows access to *alll* user domains.

file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)

To do this properly we need an attribute that matches all the other file types 
for the user, I'll work on that later.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-09-28 15:21 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-27  1:21 fuse - how to "mirror" user_t file access rights? Luke Kenneth Casson Leighton
2004-09-28 15:21 ` Russell Coker

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.