From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <437B47FE.3030404@cornell.edu> Date: Wed, 16 Nov 2005 09:53:50 -0500 From: Ivan Gyurdiev MIME-Version: 1.0 To: Ivan Gyurdiev CC: Stephen Smalley , Daniel J Walsh , SELinux-dev@tresys.com, Joshua Brindle , SE Linux Subject: Re: rawhide targeted vs. refpolicy rpm References: <4378B88B.6040003@redhat.com> <4378C285.3080005@tresys.com> <4378D6F9.5070301@redhat.com> <1131997064.5415.241.camel@moss-spartans.epoch.ncsc.mil> <1132053434.5415.269.camel@moss-spartans.epoch.ncsc.mil> <1132062002.5415.350.camel@moss-spartans.epoch.ncsc.mil> <4379F431.1070908@redhat.com> <1132066658.5415.379.camel@moss-spartans.epoch.ncsc.mil> <1132067431.5415.383.camel@moss-spartans.epoch.ncsc.mil> <1132067881.5415.391.camel@moss-spartans.epoch.ncsc.mil> <1132081420.28124.80.camel@moss-spartans.epoch.ncsc.mil> <437A3BFA.1080901@cornell.edu> <1132146675.12540.16.camel@moss-spartans.epoch.ncsc.mil> <437B374B.8040401@cornell.edu> <1132148567.12540.28.camel@moss-spartans.epoch.ncsc.mil> <437B3D53.1090401@cornell.edu> <1132150483.3425.9.camel@moss-spartans.epoch.ncsc.mil> <437B41BF.7030002@cornell.edu> <1132151186.3425.21.camel@moss-spartans.epoch.ncsc.mil> <437B4674.9050405@cornell.edu> In-Reply-To: <437B4674.9050405@cornell.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov >>> Well, okay... I guess it's about as easy to add an arbitrary prefix >>> than to use the current defrole functions. >>> It's probably easier, actually... >>> >>> So, should this go into a separate file? If it's key-ed on the user, >>> why shouldn't it go into the user file? >>> Also, there's the issue of local vs policy. In-policy users that are >>> not in the local file also require a labeling prefix. >>> >> >> For local users, it could go into the users.local file managed by >> libsemanage. For in-policy users, the policy package needs to provide a >> new file that assigns them a labeling prefix for use by libsemanage. >> > Too complicated...fewer files is better. It seems better to call a > utility in the %post script that will do if (!exists_local(root)) > add_local(root, (root's data)). That also allows users to see that > data if they choose to modify the file by hand. Actually, no this is a very stupid idea, because: 1) it implies prefixes for users only found in policy are local modifications, and 2) updates will not override previous value, because they'll think it was locally modified. ... another file is the right way to do this. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.