* homedir file context definitions
@ 2020-11-02 20:45 Vit Mojzis
2020-11-02 21:12 ` bauen1
2020-11-05 13:45 ` Chris PeBenito
0 siblings, 2 replies; 3+ messages in thread
From: Vit Mojzis @ 2020-11-02 20:45 UTC (permalink / raw)
To: selinux
Hello everyone,
when investigating a bug report [1], I found that homedir context
definitions (specified in .fc file) are changed based on the
corresponding user (selinux user, role and mls level from the context
definition are replaced - [2]).
While replacing the selinux user and role makes sense, I'm wondering if
the mls level from each homedir context definition should instead be
compared to corresponding user's mls range (and either kept or replaced
to ensure given user has access to it).
I have no problem with writing the patch, but I could use help
understanding what the correct behaviour should be (and why).
Any pointers would be apprecited.
Thank you.
[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1818472
[2] -
https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L638
--
Vit Mojzis
Software Engineer, Platform Security - SELinux userspace
Red Hat, Inc.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: homedir file context definitions
2020-11-02 20:45 homedir file context definitions Vit Mojzis
@ 2020-11-02 21:12 ` bauen1
2020-11-05 13:45 ` Chris PeBenito
1 sibling, 0 replies; 3+ messages in thread
From: bauen1 @ 2020-11-02 21:12 UTC (permalink / raw)
To: Vit Mojzis, selinux
On 11/2/20 9:45 PM, Vit Mojzis wrote:
> when investigating a bug report [1], I found that homedir context definitions (specified in .fc file) are changed based on the corresponding user (selinux user, role and mls level from the context definition are replaced - [2]).
> While replacing the selinux user and role makes sense, I'm wondering if the mls level from each homedir context definition should instead be compared to corresponding user's mls range (and either kept or replaced to ensure given user has access to it).
>
> I have no problem with writing the patch, but I could use help understanding what the correct behaviour should be (and why).
I would also be interested in a patch that allows specifying the "user level" i.e. the mls part of home directory file contexts as a range.
In my policy objects can also have a range where low specifies the confidentiality level and high the integrity level of a file, and it would be quite useful to have user directories default to low-high.
I might have already posted something about this to the mailing list but I'm not sure.
--
bauen1
https://dn42.bauen1.xyz/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: homedir file context definitions
2020-11-02 20:45 homedir file context definitions Vit Mojzis
2020-11-02 21:12 ` bauen1
@ 2020-11-05 13:45 ` Chris PeBenito
1 sibling, 0 replies; 3+ messages in thread
From: Chris PeBenito @ 2020-11-05 13:45 UTC (permalink / raw)
To: Vit Mojzis, selinux
On 11/2/20 3:45 PM, Vit Mojzis wrote:
> Hello everyone,
> when investigating a bug report [1], I found that homedir context definitions
> (specified in .fc file) are changed based on the corresponding user (selinux
> user, role and mls level from the context definition are replaced - [2]).
> While replacing the selinux user and role makes sense, I'm wondering if the mls
> level from each homedir context definition should instead be compared to
> corresponding user's mls range (and either kept or replaced to ensure given user
> has access to it).
>
> I have no problem with writing the patch, but I could use help understanding
> what the correct behaviour should be (and why).
>
> Any pointers would be apprecited.
I think the behavior should be that it replaces the level with the default level
of the user (from the user policy statement) and that possibly should be
overridden by the bottom level of whatever range is specified for that login
user (from the seusers file).
--
Chris PeBenito
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-11-05 13:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-02 20:45 homedir file context definitions Vit Mojzis
2020-11-02 21:12 ` bauen1
2020-11-05 13:45 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.