From: Joshua Brindle <jbrindle@tresys.com>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: selinux@tycho.nsa.gov, sds@tycho.nsa.gov, kmacmillan@mentalrootkit.com
Subject: Re: [patch 0/3] genhomedircon replacement in libsemanage
Date: Tue, 22 May 2007 13:35:00 -0400 [thread overview]
Message-ID: <465329C4.9080202@tresys.com> (raw)
In-Reply-To: <4653270A.50308@redhat.com>
Daniel J Walsh wrote:
> jbrindle@tresys.com wrote:
>> This replaces genhomedircon with equivalent functionality in
>> libsemanage. The homedir_template is also no longer installed, this
>> leaves some unused path functions in libselinux but removing those
>> would break the ABI.
>> This does the same things that genhomedircon did though some seemed
>> strange, like removing /sbin/nologin from the list of valid shells,
>> presumably to keep ftp users and such from getting file contexts
>> generated for them, I'm not sure how valid the assumption is but we
>> didn't want to change the functionality of genhomedircon in this patch
>> set.
>>
>> The first patch adds genhomedircon.c to libsemanage and calls it from
>> the semanage_store.c and removes the prior call to genhomedircon.
>>
> genhomedircon goal in life was to find "login user accounts" and
> generate appropriate file context for them. So we do not want any users
> with UID < 500 or with invalid shells. /bin/nologin is not a valid
> login shell. genhomedir command should be kept around even if it is
> only front-ending libsemanage. Since an admin can add additional users
> with homedirs in random locations. They could/should then run
> genhomedircon to fix the file context file.
>> The second patch is a set of tests for the new functions
>>
Why is /bin/nologin in /etc/shells then? Our code is now making
assumptions about what shells are indeed valid that isn't based on what
the system itself says.
semanage -Bn will rebuild the file context files (and the rest of the
policy) which includes running genhomedircon. No need for an external
command to do this.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-05-22 17:35 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-21 9:54 [patch 0/3] genhomedircon replacement in libsemanage jbrindle
2007-05-21 9:54 ` [patch 1/3] libsemanage: genhomedircon replacement jbrindle
2007-05-22 21:08 ` Karl MacMillan
2007-05-24 14:04 ` Mark Goldman
2007-05-24 14:45 ` Karl MacMillan
2007-05-24 15:44 ` Daniel J Walsh
2007-05-24 19:20 ` Mark Goldman
2007-05-25 15:52 ` Karl MacMillan
2007-05-25 17:06 ` Joshua Brindle
2007-05-26 0:02 ` Karl MacMillan
2007-05-29 20:25 ` audit2allow module generation Anand Patel
2007-05-29 21:11 ` Karl MacMillan
2007-05-30 14:44 ` Anand Patel
2007-05-31 16:05 ` Karl MacMillan
2007-06-08 15:36 ` Karl MacMillan
2007-06-11 13:47 ` Anand Patel
2007-08-30 13:43 ` Anand Patel
2007-09-03 16:13 ` Karl MacMillan
2007-09-10 14:10 ` Anand Patel
2007-09-10 16:01 ` Karl MacMillan
2007-06-19 15:09 ` [patch 1/3] libsemanage: genhomedircon replacement Joshua Brindle
2007-06-21 16:29 ` Karl MacMillan
2007-06-21 16:49 ` Joshua Brindle
2007-06-21 18:04 ` Karl MacMillan
2007-06-21 18:09 ` Joshua Brindle
2007-06-21 18:18 ` Karl MacMillan
2007-06-21 18:25 ` Joshua Brindle
2007-06-21 18:35 ` Karl MacMillan
2007-06-21 20:54 ` Eamon Walsh
2007-06-22 11:50 ` Daniel J Walsh
2007-06-22 15:22 ` Karl MacMillan
2007-06-22 15:31 ` Joshua Brindle
2007-06-22 16:04 ` Karl MacMillan
2007-06-22 16:58 ` Eamon Walsh
2007-06-22 19:30 ` Karl MacMillan
2007-06-22 20:55 ` Eamon Walsh
2007-07-02 14:00 ` Joshua Brindle
2007-07-02 14:23 ` Karl MacMillan
2007-07-02 15:54 ` Joshua Brindle
2007-07-02 21:26 ` Joshua Brindle
2007-07-03 1:12 ` James Antill
2007-07-03 11:15 ` Can someone please assist me with selinux issue David Cottle
[not found] ` <1183464455.12218.243.camel@moss-spartans.epoch.ncs! c.mil>
2007-07-03 12:07 ` Stephen Smalley
2007-07-04 23:30 ` David Cottle
2007-07-05 12:33 ` Stephen Smalley
2007-07-12 19:03 ` Libsemanage dependency on version of Linux Hasan Rezaul-CHR010
2007-07-12 19:39 ` Stephen Smalley
2007-07-12 19:48 ` Hasan Rezaul-CHR010
2007-07-12 19:57 ` Stephen Smalley
2007-07-12 19:49 ` Stephen Smalley
2007-07-02 14:54 ` [patch 1/3] libsemanage: genhomedircon replacement James Antill
2007-06-22 20:00 ` James Antill
2007-05-24 15:05 ` Steve G
2007-05-24 15:27 ` Karl MacMillan
2007-05-24 16:00 ` James Antill
2007-05-25 14:22 ` Mark Goldman
2007-05-21 9:54 ` [patch 2/3] libsemanage: test functions jbrindle
2007-05-21 9:54 ` [patch 3/3] Remove legacy genhomedircon python script jbrindle
2007-05-22 17:23 ` [patch 0/3] genhomedircon replacement in libsemanage Daniel J Walsh
2007-05-22 17:35 ` Joshua Brindle [this message]
2007-05-22 21:10 ` Karl MacMillan
2007-05-22 21:11 ` Karl MacMillan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=465329C4.9080202@tresys.com \
--to=jbrindle@tresys.com \
--cc=dwalsh@redhat.com \
--cc=kmacmillan@mentalrootkit.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.