From: Joshua Brindle <method@manicmethod.com>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: SE Linux <selinux@tycho.nsa.gov>, Chris PeBenito <cpebenito@tresys.com>
Subject: Re: Patch to libsemanage to remove labeling of /root
Date: Wed, 18 Feb 2009 16:42:56 -0500 [thread overview]
Message-ID: <499C80E0.4000908@manicmethod.com> (raw)
In-Reply-To: <499C7CD0.9070907@redhat.com>
<snip>
>>> suddenly change labels. I could not disagree more.
>>>
> The argument here is whether or not /root is a "homedirectory" I don't
> agree that it is, at least it is not the same as /home/dwalsh.
>
> They are different and the tools should treat them different.
>
> Allowing a domain to interact with /root is different then allowing it
> to interact with /home/dwalsh. By allowing random users to accidentally
> change this is in my mind a security risk.
>
> I want genhomedircon to handle the case when a user puts his home
> directories in /home/devel/ and /export/home. So I need genhomedircon.
>
> But I intend to write policy that relies on the /root directory having a
> fixed file context.
>
Ok, the tools should be policy agnostic IMO, and this patch hard codes a
behavior that is policy specific.
I'm not going to merge this patch but if/when you or someone sends one that
addresses the issue in a flexible way I'll be more open to that.
My suggestion is to make an excluded paths variable in semanage.conf that allows
downstream users to exclude the paths they care about (alternatively an included
paths list might be more appropriate, but I'd have to think that through).
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-02-18 21:43 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-13 13:43 Patch to libsemanage to remove labeling of /root Daniel J Walsh
2009-02-17 20:25 ` Joshua Brindle
2009-02-17 20:31 ` Daniel J Walsh
2009-02-17 20:32 ` Joshua Brindle
2009-02-17 20:39 ` Daniel J Walsh
2009-02-17 20:40 ` Joshua Brindle
2009-02-17 21:17 ` Daniel J Walsh
2009-02-18 15:47 ` Joshua Brindle
2009-02-18 16:09 ` Daniel J Walsh
2009-02-18 16:20 ` Joshua Brindle
2009-02-18 16:28 ` Daniel J Walsh
2009-02-18 16:57 ` Daniel J Walsh
2009-02-18 19:21 ` Joshua Brindle
2009-02-18 20:09 ` Daniel J Walsh
2009-02-18 20:15 ` Joshua Brindle
2009-02-18 21:25 ` Daniel J Walsh
2009-02-18 21:42 ` Joshua Brindle [this message]
2009-02-27 2:22 ` Russell Coker
2009-02-27 22:08 ` Daniel J Walsh
2009-02-27 23:01 ` Russell Coker
2009-02-28 12:09 ` Dominick Grift
2009-02-28 12:29 ` Daniel J Walsh
2009-02-28 12:39 ` Dominick Grift
2009-02-28 12:17 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499C80E0.4000908@manicmethod.com \
--to=method@manicmethod.com \
--cc=cpebenito@tresys.com \
--cc=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.