Re: Security contexts for the contexts directory?

[Daniel J Walsh <dwalsh redhat com>]

Stephen Smalley wrote:

> On Thu, 2004-05-27 at 07:54, Daniel J Walsh wrote:
>  
>
> > With the new design of the policy tree, we have moved the "contexts" 
> > files into
> > /etc/selinux/*/contexts/
> >
> > These files include default_contexts, file_contexts, default_type, 
> > failsafe_contexts ...
> > as well as contexts for individual users like users/root.  Currently the 
> > security contexts for these files is etc_t.   Should we change them so 
> > something else? default_contexts_t?  Should file_contexts be marked 
> > differently then the others?
> >    
>
> I'd suggest a single type (other than etc_t) for default_contexts,
> default_type, failsafe_context, and the other files installed from
> policy/appconfig.  file_contexts should likely have a different type to
> allow different access, so perhaps it should have its own directory and
> type.  With the old layout and policy, it ends up in policy_config_t,
> but I think we want to distinguish it from the binary policy file as
> well as from the appconfig files.
>
>  
Ok how about, default_contexts_t for contexts directory and users 
directory.  Create a new directory called files and put file_contexts in 
there with a context of file_contexts_t.

> > Also since policy is determined by /etc/sysconfig/selinux, should we set 
> > a special security context on it?  If we do should we move it to a 
> > directory where it would be easier to maintain the security context?  
> > Maybe rename it to /etc/selinux/config?
> >    
>
> I would prefer having a distinct type on it (and moving it to a
> directory with that type so that we can easily preserve the type), as
> the integrity of that file is critical to SELinux, at least in the
> Fedora Core implementation.
>
>  
Should that have default_contexts_t also? Or something different?