[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FC2 and FC1 and common home

On Mon, 2004-04-05 at 11:31, Shahms King wrote:
> So, what, exactly, does SELinux do in the absence of file context
> information?  

Depends on what you mean; I'm assuming you mean filesystems without
xattr support.  In that case, SELinux has several methods of associating
security contexts with files.  The two important ones are the context=
option for mount, and genfs.  

> It seems to me that the "correct" behavior would be to
> ignore missing context information.  Perhaps logging the fact that the
> file lacks context, but proceeding as if SELinux weren't installed. 
> Yes, it's less secure, but it's also "the principle of least surprise."

At the kernel level, SELinux's philosophy is that anything not
explicitly permitted by the policy is denied.  A lot depends on that. 
However the behavior you desire could be achieved at the policy level. 
A first really bad hack would be something like:


A somewhat better way would be to define a new type that you use for
shared data:

type shared_data_t, file_type, sysadmfile;

And then add context=system_u:object_r:shared_data_t to your fstab
options for /home.  Not tested, but it will likely work.  

I don't think anything like this should be the default though :)

> Watching the mount messages at bootup, it also appears as though for
> EA-incapable filesystems SELinux will generate context information
> automatically, is it not possible to do this for files without the
> context info?

It depends on the filesystem type, your security policy, and the mount
options, but - yes.

> And, more importantly, it lets me share data between my FC1 install
> and FC2 install as an ordinary user ;-P

I'm assuming the problem here is that you write the data from both,
potentially losing xattrs?

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]