[redhat-lspp] pam_namespace is broken from an SELinux perspective.
Linda Knippers
linda.knippers at hp.com
Thu Dec 7 19:54:17 UTC 2006
Stephen Smalley wrote:
>>Should I also get a new set of directories if I use newrole to switch
>>roles? I don't (and not sure I want to) but I'm wondering if I'm
>>supposed to since the man page says its polyinstantiates based on
>>"context" and when I change roles, my context changes, right?
>
>
> Correct - it was intended to be general and support role/domain-based
> instantiation as well as level instantiation, but Dan's patch drops that
> support and hardcodes the level instantiation. Which is simpler and
> yields the desired behavior for MLS and LSPP, at a cost in generality.
> The more general fix may take more effort (small kernel patch to adjust
> the logic or policy and labeling adjustments to work around).
I kind of like the way its working now. I don't necessarily want a new
home directory when I switch roles. I think if the code get changes, it
would be nice to have the behavior selectable. Right now the options are
to instantiate based on name, context or both. Having the option to
instantiate on the full context or just the level would be nice.
-- ljk
More information about the redhat-lspp
mailing list