Re: getseuserbyname patch

[Daniel J Walsh <dwalsh@redhat.com>]

Stephen Smalley wrote:
> On Thu, 2005-10-06 at 09:52 -0400, Daniel J Walsh wrote:
>   
>> Of course if I can get rid of this file, I can probably muck around with 
>> the config file also.   
>> As long as we don't require the flag and default to old behavior.  For 
>> MLS installs we can
>> put in the flag in the config file and change it to fail if the file is 
>> missing.
>>     
>
> Yes, that was the idea.
>
> BTW, it occurs to me that the cases are different for no seusers.conf
> versus a seusers.conf but no matching entry and no default entry.  The
> latter is more dangerous to allow to default to the old behavior,
> because a simple error in the config file could cause it to skip the
> entry for the user.  Is it unreasonable to always treat no match/no
> default as an error?
>
>   
Ok, I was just thinking the level on no match would be SystemLow, but 
that is not easy to state in policy.
So Force there to be a default/match or return error, is ok.
>> There are files in policy now that are marked config(noreplace) like 
>> local.users, ports, devices etc.  So I don't think this is any 
>> differerent. 
>>     
>
> Yes, I just wasn't sure if you ultimately intend to migrate them out,
> particularly if libsemanage takes over control of all customizations.
> At that point, the files from policy are just pushed into the sandbox
> and all modifications occur within the sandbox and to the generated
> files used at runtime, not directly to any files from the policy
> package.
>
>   
But they still will need to exist and be recompiled into the sandbox 
correct?  I would still consider these files to be policy
specific.  So they would need to be in the policy try. 

BTW:  I would like to rename seusers.conf to seusers and put it in 
/etc/selinux/TYPE/seusers

I also am upping sensitivity level to s15 and category to c255, in the 
latest policy and changing the range lines appropriately.
As proposed by Steve Grubb.

As soon as a libselinux changes show up I will put in patch to 
pam_selinux to allow level selection.

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.