From: Gary Tierney <gary.tierney@gmx.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH 0/1] supporting RBACSEP in genhomedircon
Date: Fri, 23 Sep 2016 15:28:43 +0100 [thread overview]
Message-ID: <cover.1474639773.git.gary.tierney@gmx.com> (raw)
This patch implements support for policies using RBACSEP in genhomedircon. It
works by using an SELinux users "prefix" as the role in their homedir contexts.
It seems that genhomedircon has previously supported something similar, as it'll
currently replace the string "ROLE" with whatever a users prefix is. However,
if using CIL we can't leverage this, since secilc will complain about the
semantics of an invalid role named "ROLE" in a filecon statement.
Since there's no way for a CIL policy to tell genhomedircon whether a role should
be replaced or not, a new "genhomedircon-rbacsep" option was added to
/etc/selinux/semanage.conf.
I'm not convinced that this is the best way to go about this. Maybe an initial
role can be implicitly figured out using libsepol's API? Anyway, I've submitted
this to see if there's any better options for supporting RBACSEP in home dir
context generation.
There was some previous discussion about this here for reference:
http://oss.tresys.com/pipermail/refpolicy/2011-August/004417.html
Gary Tierney (1):
genhomedircon: support policies using RBACSEP
libsemanage/src/conf-parse.y | 14 +++++++++++++-
libsemanage/src/conf-scan.l | 1 +
libsemanage/src/genhomedircon.c | 30 +++++++++++++++++++++++++++++-
libsemanage/src/semanage_conf.h | 1 +
4 files changed, 44 insertions(+), 2 deletions(-)
--
2.4.11
next reply other threads:[~2016-09-23 14:29 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-23 14:28 Gary Tierney [this message]
2016-09-23 14:28 ` [PATCH 1/1] genhomedircon: support policies using RBACSEP Gary Tierney
2016-09-23 15:43 ` Gary Tierney
2016-09-26 13:41 ` Stephen Smalley
2016-09-23 19:36 ` Stephen Smalley
2016-09-23 20:51 ` Gary Tierney
2016-09-24 8:26 ` Dominick Grift
2016-09-26 14:20 ` Stephen Smalley
2016-09-26 14:34 ` Dominick Grift
2016-09-26 15:06 ` Dominick Grift
2016-09-27 7:44 ` Dominick Grift
2016-09-27 13:39 ` Stephen Smalley
2016-09-29 1:06 ` Gary Tierney
2016-09-27 22:19 ` Chris PeBenito
2016-09-23 14:48 ` [PATCH 0/1] supporting RBACSEP in genhomedircon Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1474639773.git.gary.tierney@gmx.com \
--to=gary.tierney@gmx.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.