* [refpolicy] appconfig-mcs_default_contexts.patch
@ 2009-03-05 16:04 Daniel J Walsh
2009-03-05 16:09 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Daniel J Walsh @ 2009-03-05 16:04 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
Rewriting default_context to default to user_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmv+CgACgkQrlYvE4MpobM+QwCeN/LByhhEUS1H/JZBcpqGq4gK
zKcAn2PRXmy/OoZ0SI1BmSqSBtGboxzN
=u9x9
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] appconfig-mcs_default_contexts.patch
2009-03-05 16:04 [refpolicy] appconfig-mcs_default_contexts.patch Daniel J Walsh
@ 2009-03-05 16:09 ` Christopher J. PeBenito
0 siblings, 0 replies; 8+ messages in thread
From: Christopher J. PeBenito @ 2009-03-05 16:09 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-03-05 at 11:04 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
>
> Rewriting default_context to default to user_t.
I have to pass on this one. It'll break any user that doesn't have a
user-specific default_contexts file and doesn't have the user_r role.
The global default_contexts needs to remain generic.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] appconfig-mcs_default_contexts.patch
2009-05-27 15:47 ` Daniel J Walsh
@ 2009-05-27 15:56 ` Christopher J. PeBenito
0 siblings, 0 replies; 8+ messages in thread
From: Christopher J. PeBenito @ 2009-05-27 15:56 UTC (permalink / raw)
To: refpolicy
On Wed, 2009-05-27 at 11:47 -0400, Daniel J Walsh wrote:
> On 05/27/2009 11:39 AM, Christopher J. PeBenito wrote:
> > On Wed, 2009-05-27 at 11:25 -0400, Daniel J Walsh wrote:
> >> On 05/27/2009 09:16 AM, Christopher J. PeBenito wrote:
> >>> On Thu, 2009-05-21 at 10:34 -0400, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
> >>>>
> >>>> default context file should have one default context all of the other
> >>>> types should be broken out into the users directory.
> >>> I disagree. We need defaults that work.
> >>>
> >> But the defaults are in the individual files which we now ship. So as I
> >> add new user ABC_U type I need to provide a
> >> /etc/selinux/targeted/contexts/users/ABC_U
> >>
> >> And defaults_context will not work for that user if the ABC_U file is
> >> not there. So it will not Just work.
> >
> > If there is no default contexts specific to the seuser, the general
> > default_contexts will be used. It will cover people who want to add
> > their own seuser but don't add a seuser-specific default_contexts. It
> > doesn't hurt to have all of these entries in the general
> > default_contexts since all of the valid contexts are defined in policy.
> >
> But it doesn't help, and you end up with invalid context listed if you
> do not have that user type defined.
It doesn't hurt. The libraries have handled it for a very long time.
> So if I don't have unconfined_t or sysadm_t I end up with a bogus listing.
I'm not sure what you are saying. You would have to be missing all
standard roles to not be able to log in.
> I actually would get rid of the file altogether and force all user
> types to have a user context file.
That would be an argument for the SELinux list as that affects the
libraries.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] appconfig-mcs_default_contexts.patch
2009-05-27 15:39 ` Christopher J. PeBenito
@ 2009-05-27 15:47 ` Daniel J Walsh
2009-05-27 15:56 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Daniel J Walsh @ 2009-05-27 15:47 UTC (permalink / raw)
To: refpolicy
On 05/27/2009 11:39 AM, Christopher J. PeBenito wrote:
> On Wed, 2009-05-27 at 11:25 -0400, Daniel J Walsh wrote:
>> On 05/27/2009 09:16 AM, Christopher J. PeBenito wrote:
>>> On Thu, 2009-05-21 at 10:34 -0400, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
>>>>
>>>> default context file should have one default context all of the other
>>>> types should be broken out into the users directory.
>>> I disagree. We need defaults that work.
>>>
>> But the defaults are in the individual files which we now ship. So as I
>> add new user ABC_U type I need to provide a
>> /etc/selinux/targeted/contexts/users/ABC_U
>>
>> And defaults_context will not work for that user if the ABC_U file is
>> not there. So it will not Just work.
>
> If there is no default contexts specific to the seuser, the general
> default_contexts will be used. It will cover people who want to add
> their own seuser but don't add a seuser-specific default_contexts. It
> doesn't hurt to have all of these entries in the general
> default_contexts since all of the valid contexts are defined in policy.
>
But it doesn't help, and you end up with invalid context listed if you
do not have that user type defined.
So if I don't have unconfined_t or sysadm_t I end up with a bogus listing.
I say make it user_u and move on. I actually would get rid of the file
altogether and force all user types to have a user context file.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] appconfig-mcs_default_contexts.patch
2009-05-27 15:25 ` Daniel J Walsh
@ 2009-05-27 15:39 ` Christopher J. PeBenito
2009-05-27 15:47 ` Daniel J Walsh
0 siblings, 1 reply; 8+ messages in thread
From: Christopher J. PeBenito @ 2009-05-27 15:39 UTC (permalink / raw)
To: refpolicy
On Wed, 2009-05-27 at 11:25 -0400, Daniel J Walsh wrote:
> On 05/27/2009 09:16 AM, Christopher J. PeBenito wrote:
> > On Thu, 2009-05-21 at 10:34 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
> >>
> >> default context file should have one default context all of the other
> >> types should be broken out into the users directory.
> >
> > I disagree. We need defaults that work.
> >
> But the defaults are in the individual files which we now ship. So as I
> add new user ABC_U type I need to provide a
> /etc/selinux/targeted/contexts/users/ABC_U
>
> And defaults_context will not work for that user if the ABC_U file is
> not there. So it will not Just work.
If there is no default contexts specific to the seuser, the general
default_contexts will be used. It will cover people who want to add
their own seuser but don't add a seuser-specific default_contexts. It
doesn't hurt to have all of these entries in the general
default_contexts since all of the valid contexts are defined in policy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] appconfig-mcs_default_contexts.patch
2009-05-27 13:16 ` Christopher J. PeBenito
@ 2009-05-27 15:25 ` Daniel J Walsh
2009-05-27 15:39 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Daniel J Walsh @ 2009-05-27 15:25 UTC (permalink / raw)
To: refpolicy
On 05/27/2009 09:16 AM, Christopher J. PeBenito wrote:
> On Thu, 2009-05-21 at 10:34 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
>>
>> default context file should have one default context all of the other
>> types should be broken out into the users directory.
>
> I disagree. We need defaults that work.
>
But the defaults are in the individual files which we now ship. So as I
add new user ABC_U type I need to provide a
/etc/selinux/targeted/contexts/users/ABC_U
And defaults_context will not work for that user if the ABC_U file is
not there. So it will not Just work.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] appconfig-mcs_default_contexts.patch
2009-05-21 14:34 Daniel J Walsh
@ 2009-05-27 13:16 ` Christopher J. PeBenito
2009-05-27 15:25 ` Daniel J Walsh
0 siblings, 1 reply; 8+ messages in thread
From: Christopher J. PeBenito @ 2009-05-27 13:16 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-05-21 at 10:34 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
>
> default context file should have one default context all of the other
> types should be broken out into the users directory.
I disagree. We need defaults that work.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] appconfig-mcs_default_contexts.patch
@ 2009-05-21 14:34 Daniel J Walsh
2009-05-27 13:16 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Daniel J Walsh @ 2009-05-21 14:34 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
default context file should have one default context all of the other
types should be broken out into the users directory.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2009-05-27 15:56 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-03-05 16:04 [refpolicy] appconfig-mcs_default_contexts.patch Daniel J Walsh
2009-03-05 16:09 ` Christopher J. PeBenito
2009-05-21 14:34 Daniel J Walsh
2009-05-27 13:16 ` Christopher J. PeBenito
2009-05-27 15:25 ` Daniel J Walsh
2009-05-27 15:39 ` Christopher J. PeBenito
2009-05-27 15:47 ` Daniel J Walsh
2009-05-27 15:56 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.