* users with weird names
@ 2005-01-26 3:53 steven harp
2005-01-26 17:19 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: steven harp @ 2005-01-26 3:53 UTC (permalink / raw)
To: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Failed to find this in the archives, but somebody must have
tripped across the problem of linux users with names that
are policy compiler keywords, e.g. Mr allow cannot be handled
by:
user allow roles { staff_r };
rbac:108:ERROR 'syntax error' at token 'allow' on line 56248:
Same for Mr source and Ms. target, etc., all "ok" identifiers.
I am not trying to be perverse--somebody else picked several
names that will not parse.
And the correct way to quote them is.... ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFB9xRQPcFX9H2zuSkRApeOAJ9GfOq3vcDiZQOLfBaqrm9FDOGUbwCfav7Y
7wZKoe20yTsMgbaZRgbwfQ8=
=4mfm
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: users with weird names
2005-01-26 3:53 users with weird names steven harp
@ 2005-01-26 17:19 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2005-01-26 17:19 UTC (permalink / raw)
To: steven harp; +Cc: selinux
On Tue, 2005-01-25 at 22:53, steven harp wrote:
> Failed to find this in the archives, but somebody must have
> tripped across the problem of linux users with names that
> are policy compiler keywords, e.g. Mr allow cannot be handled
> by:
>
> user allow roles { staff_r };
>
> rbac:108:ERROR 'syntax error' at token 'allow' on line 56248:
>
> Same for Mr source and Ms. target, etc., all "ok" identifiers.
> I am not trying to be perverse--somebody else picked several
> names that will not parse.
>
> And the correct way to quote them is.... ?
There is no way to "quote" them. You'd have to patch
checkpolicy/policy_parse.y to accept such tokens in the username field.
A more general solution (and one needed for other purposes as well)
would be to change libselinux to support a mapping from Linux user
properties (username, group membership, etc) to SELinux usernames, which
has been discussed previously on the list but no one has done it yet.
This would also require adjusting any programs like newrole that rely on
the SELinux username, possibly having them using the audit loginuid
instead once it is exported to userspace.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-01-26 17:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-01-26 3:53 users with weird names steven harp
2005-01-26 17:19 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.