Christopher J. PeBenito
cpebenito at tresys.com
Wed May 27 10:56:17 CDT 2009
On Wed, 2009-05-27 at 11:47 -0400, Daniel J Walsh wrote:
> On 05/27/2009 11:39 AM, Christopher J. PeBenito wrote:
> > On Wed, 2009-05-27 at 11:25 -0400, Daniel J Walsh wrote:
> >> On 05/27/2009 09:16 AM, Christopher J. PeBenito wrote:
> >>> On Thu, 2009-05-21 at 10:34 -0400, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
> >>>> default context file should have one default context all of the other
> >>>> types should be broken out into the users directory.
> >>> I disagree. We need defaults that work.
> >> But the defaults are in the individual files which we now ship. So as I
> >> add new user ABC_U type I need to provide a
> >> /etc/selinux/targeted/contexts/users/ABC_U
> >> And defaults_context will not work for that user if the ABC_U file is
> >> not there. So it will not Just work.
> > If there is no default contexts specific to the seuser, the general
> > default_contexts will be used. It will cover people who want to add
> > their own seuser but don't add a seuser-specific default_contexts. It
> > doesn't hurt to have all of these entries in the general
> > default_contexts since all of the valid contexts are defined in policy.
> But it doesn't help, and you end up with invalid context listed if you
> do not have that user type defined.
It doesn't hurt. The libraries have handled it for a very long time.
> So if I don't have unconfined_t or sysadm_t I end up with a bogus listing.
I'm not sure what you are saying. You would have to be missing all
standard roles to not be able to log in.
> I actually would get rid of the file altogether and force all user
> types to have a user context file.
That would be an argument for the SELinux list as that affects the
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy