From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] appconfig-mcs_default_contexts.patch
Date: Wed, 27 May 2009 11:47:01 -0400 [thread overview]
Message-ID: <4A1D6075.2010208@redhat.com> (raw)
In-Reply-To: <1243438786.5421.52.camel@gorn>
On 05/27/2009 11:39 AM, Christopher J. PeBenito wrote:
> On Wed, 2009-05-27 at 11:25 -0400, Daniel J Walsh wrote:
>> On 05/27/2009 09:16 AM, Christopher J. PeBenito wrote:
>>> On Thu, 2009-05-21 at 10:34 -0400, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
>>>>
>>>> default context file should have one default context all of the other
>>>> types should be broken out into the users directory.
>>> I disagree. We need defaults that work.
>>>
>> But the defaults are in the individual files which we now ship. So as I
>> add new user ABC_U type I need to provide a
>> /etc/selinux/targeted/contexts/users/ABC_U
>>
>> And defaults_context will not work for that user if the ABC_U file is
>> not there. So it will not Just work.
>
> If there is no default contexts specific to the seuser, the general
> default_contexts will be used. It will cover people who want to add
> their own seuser but don't add a seuser-specific default_contexts. It
> doesn't hurt to have all of these entries in the general
> default_contexts since all of the valid contexts are defined in policy.
>
But it doesn't help, and you end up with invalid context listed if you
do not have that user type defined.
So if I don't have unconfined_t or sysadm_t I end up with a bogus listing.
I say make it user_u and move on. I actually would get rid of the file
altogether and force all user types to have a user context file.
next prev parent reply other threads:[~2009-05-27 15:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-21 14:34 [refpolicy] appconfig-mcs_default_contexts.patch Daniel J Walsh
2009-05-27 13:16 ` Christopher J. PeBenito
2009-05-27 15:25 ` Daniel J Walsh
2009-05-27 15:39 ` Christopher J. PeBenito
2009-05-27 15:47 ` Daniel J Walsh [this message]
2009-05-27 15:56 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2009-03-05 16:04 Daniel J Walsh
2009-03-05 16:09 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A1D6075.2010208@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.