FC2 and FC1 and common home
Colin Walters
walters at redhat.com
Mon Apr 5 16:09:22 UTC 2004
On Mon, 2004-04-05 at 11:31, Shahms King wrote:
> So, what, exactly, does SELinux do in the absence of file context
> information?
Depends on what you mean; I'm assuming you mean filesystems without
xattr support. In that case, SELinux has several methods of associating
security contexts with files. The two important ones are the context=
option for mount, and genfs.
> It seems to me that the "correct" behavior would be to
> ignore missing context information. Perhaps logging the fact that the
> file lacks context, but proceeding as if SELinux weren't installed.
> Yes, it's less secure, but it's also "the principle of least surprise."
At the kernel level, SELinux's philosophy is that anything not
explicitly permitted by the policy is denied. A lot depends on that.
However the behavior you desire could be achieved at the policy level.
A first really bad hack would be something like:
rw_dir_create_file(domain,unlabeled_t)
A somewhat better way would be to define a new type that you use for
shared data:
type shared_data_t, file_type, sysadmfile;
rw_dir_create_file(domain,shared_data_t);
And then add context=system_u:object_r:shared_data_t to your fstab
options for /home. Not tested, but it will likely work.
I don't think anything like this should be the default though :)
> Watching the mount messages at bootup, it also appears as though for
> EA-incapable filesystems SELinux will generate context information
> automatically, is it not possible to do this for files without the
> context info?
It depends on the filesystem type, your security policy, and the mount
options, but - yes.
> And, more importantly, it lets me share data between my FC1 install
> and FC2 install as an ordinary user ;-P
I'm assuming the problem here is that you write the data from both,
potentially losing xattrs?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20040405/f979126c/attachment.sig>
More information about the fedora-devel-list
mailing list