http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
Fix interface descriptions
Lots of new domains.
Added polydomain
On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
>
> Fix interface descriptions
>
> Lots of new domains.
>
> Added polydomain
What is the purpose of polydomain?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
>>
>> Fix interface descriptions
>>
>> Lots of new domains.
>>
>> Added polydomain
>
> What is the purpose of polydomain?
>
If I have a polinstatiated homedir like on an MLS machine. When login
programs creates the homedir it needs to populate it with content from
/etc/skel. When it does this, it needs to relabel it to user homedir
content.
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(polydomain)
userdom_manage_user_home_content_dirs(polydomain)
userdom_manage_user_home_content_files(polydomain)
userdom_relabelto_user_home_dirs(polydomain)
userdom_relabelto_user_home_files(polydomain)
'
On Fri, 2010-06-04 at 09:52 -0400, Daniel J Walsh wrote:
> On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
> >>
> >> Fix interface descriptions
> >>
> >> Lots of new domains.
> >>
> >> Added polydomain
> >
> > What is the purpose of polydomain?
> >
>
> If I have a polinstatiated homedir like on an MLS machine. When login
> programs creates the homedir it needs to populate it with content from
> /etc/skel. When it does this, it needs to relabel it to user homedir
> content.
That sounds like rules in auth_login_pgm_domain() that should already
exist.
> tunable_policy(`allow_polyinstantiation',`
> files_polyinstantiate_all(polydomain)
> userdom_manage_user_home_content_dirs(polydomain)
> userdom_manage_user_home_content_files(polydomain)
> userdom_relabelto_user_home_dirs(polydomain)
> userdom_relabelto_user_home_files(polydomain)
> '
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 06/07/2010 08:51 AM, Christopher J. PeBenito wrote:
> On Fri, 2010-06-04 at 09:52 -0400, Daniel J Walsh wrote:
>> On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote:
>>> On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
>>>>
>>>> Fix interface descriptions
>>>>
>>>> Lots of new domains.
>>>>
>>>> Added polydomain
>>>
>>> What is the purpose of polydomain?
>>>
>>
>> If I have a polinstatiated homedir like on an MLS machine. When login
>> programs creates the homedir it needs to populate it with content from
>> /etc/skel. When it does this, it needs to relabel it to user homedir
>> content.
>
> That sounds like rules in auth_login_pgm_domain() that should already
> exist.
>
>> tunable_policy(`allow_polyinstantiation',`
>> files_polyinstantiate_all(polydomain)
>> userdom_manage_user_home_content_dirs(polydomain)
>> userdom_manage_user_home_content_files(polydomain)
>> userdom_relabelto_user_home_dirs(polydomain)
>> userdom_relabelto_user_home_files(polydomain)
>> '
>
The rules do not exist there currently other then
files_polyinstantiate_all(polydomain)
We could move this there or eliminate it and use the attribute save
hundreds/thousands of rules.
On Mon, 2010-06-07 at 09:27 -0400, Daniel J Walsh wrote:
> On 06/07/2010 08:51 AM, Christopher J. PeBenito wrote:
> > On Fri, 2010-06-04 at 09:52 -0400, Daniel J Walsh wrote:
> >> On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote:
> >>> On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
> >>>>
> >>>> Fix interface descriptions
> >>>>
> >>>> Lots of new domains.
> >>>>
> >>>> Added polydomain
> >>>
> >>> What is the purpose of polydomain?
> >>>
> >>
> >> If I have a polinstatiated homedir like on an MLS machine. When login
> >> programs creates the homedir it needs to populate it with content from
> >> /etc/skel. When it does this, it needs to relabel it to user homedir
> >> content.
> >
> > That sounds like rules in auth_login_pgm_domain() that should already
> > exist.
> >
> >> tunable_policy(`allow_polyinstantiation',`
> >> files_polyinstantiate_all(polydomain)
> >> userdom_manage_user_home_content_dirs(polydomain)
> >> userdom_manage_user_home_content_files(polydomain)
> >> userdom_relabelto_user_home_dirs(polydomain)
> >> userdom_relabelto_user_home_files(polydomain)
> >> '
> >
> The rules do not exist there currently other then
> files_polyinstantiate_all(polydomain)
>
> We could move this there or eliminate it and use the attribute save
> hundreds/thousands of rules.
I'd prefer it as part of the auth_login_pgm_domain(), since that is what
the concept is. If you want to look at turning that interface into an
attribute with rules in authlogin.te then that would be fine.
If you're that concerned about the rule count, perhaps you could
convince Red Hat to invest some time in an optimizing policy
compiler? :)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com