[refpolicy] appconfig-mcs_default_contexts.patch

Christopher J. PeBenito cpebenito at tresys.com
Wed May 27 10:56:17 CDT 2009

On Wed, 2009-05-27 at 11:47 -0400, Daniel J Walsh wrote:
> On 05/27/2009 11:39 AM, Christopher J. PeBenito wrote:
> > On Wed, 2009-05-27 at 11:25 -0400, Daniel J Walsh wrote:
> >> On 05/27/2009 09:16 AM, Christopher J. PeBenito wrote:
> >>> On Thu, 2009-05-21 at 10:34 -0400, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
> >>>>
> >>>> default context file should have one default context all of the other
> >>>> types should be broken out into the users directory.
> >>> I disagree.  We need defaults that work.
> >>>
> >> But the defaults are in the individual files which we now ship.  So as I
> >> add new user ABC_U type I need to provide a
> >> /etc/selinux/targeted/contexts/users/ABC_U
> >>
> >> And defaults_context will not work for that user if the ABC_U file is
> >> not there.  So it will not Just work.
> >
> > If there is no default contexts specific to the seuser, the general
> > default_contexts will be used.  It will cover people who want to add
> > their own seuser but don't add a seuser-specific default_contexts.  It
> > doesn't hurt to have all of these entries in the general
> > default_contexts since all of the valid contexts are defined in policy.
> >
> But it doesn't help, and you end up with invalid context listed if you 
> do not have that user type defined.

It doesn't hurt.  The libraries have handled it for a very long time.

> So if I don't have unconfined_t or sysadm_t I end up with a bogus listing.

I'm not sure what you are saying.  You would have to be missing all
standard roles to not be able to log in.

> I actually would get rid of the file altogether and force all user
> types to have a user context file.

That would be an argument for the SELinux list as that affects the

Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

More information about the refpolicy mailing list