From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [REVIEW REQUEST] Changes to the gnome policy module
Date: Tue, 9 Oct 2012 09:42:20 -0400 [thread overview]
Message-ID: <507429BC.8080200@tresys.com> (raw)
In-Reply-To: <1349385291.22995.68.camel@d30.localdomain>
On 10/04/12 17:14, Dominick Grift wrote:
>
>
> On Thu, 2012-10-04 at 21:30 +0200, Dominick Grift wrote:
>>
>> On Thu, 2012-10-04 at 15:04 -0400, Daniel J Walsh wrote:
>>
>>>>
>>>
>>> Well also the content in this directory does not match correctly for the file
>>> context.
>>>
>>> /run/user/3267/dconf/ versus /home/dwalsh/.config/dconf?
>>>
>>> Kerberos keyring is there now also there which used to be labeled user_tmp_t.
>>>
>>> Gkeyringd_tmp_t content is there which also used to be in /tmp.
>>>
>>> X11-display seems to be moving here also.
>>>
>>
>> .orc and gvfs matches with $HOME.
>>
>> Nonetheless we should consider things like UBAC, MLS, poly-instantiation
>> etc.
>>
>> I know Redhat does not enable UBAC by default but i am pretty sure she
>> would want this technology to be supported at least in a minimal way (or
>> let me put it this way: i dont think she would want ubac enablement to
>> totally break selinux in redhat distros) to give customers the freedom
>> to enable it if they so desire.
>>
>> UBAC requires that /run/user/UID has the proper selinux identity set,
>> else users will not be able to create content in that dir (currently it
>> is system_u).
>>
>> But that aside, upstream will have to deal with that and to diverge
>> from, or ignore upstream would be counter productive for all parties
>> involved in the long run.
>>
>> I think that the current labeling may not be good enough
>>
>
> The above comment of me was on second thought probably exaggeration.
>
> system_u is ubac exempt and user_tmp_t is or can be easily made to
> supported poly instantiation.
>
> i guess it could work unless i am overlooking something
My suspicion is that in the long run genhomedircon would need to be enhanced to support a UID substitution like it has a USER substitution. That would yield the most flexibility. Otherwise, in the mean time, labeling /run/user/ as user_tmp_t would probably work.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2012-10-09 13:42 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-03 15:12 [refpolicy] [REVIEW REQUEST] Changes to the gnome policy module Dominick Grift
2012-10-03 15:28 ` Dominick Grift
2012-10-03 15:52 ` Dominick Grift
2012-10-03 18:16 ` Sven Vermeulen
2012-10-03 22:05 ` Daniel J Walsh
2012-10-04 11:01 ` Dominick Grift
2012-10-04 14:53 ` Daniel J Walsh
2012-10-04 15:24 ` Dominick Grift
2012-10-04 17:19 ` Daniel J Walsh
2012-10-04 17:39 ` Dominick Grift
2012-10-04 17:46 ` Dominick Grift
2012-10-04 19:04 ` Daniel J Walsh
2012-10-04 19:30 ` Dominick Grift
2012-10-04 21:14 ` Dominick Grift
2012-10-09 13:42 ` Christopher J. PeBenito [this message]
2012-10-09 13:44 ` Christopher J. PeBenito
2012-10-09 13:52 ` Dominick Grift
2012-10-09 14:02 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=507429BC.8080200@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.