Because Ecryptfs does not support xattr, so a variety of application control type under ecryptfs user home is replaced by ecryptfs_t. In the
serepolicy-3.12.1 version, The 'use_ecryptfs_home_dirs' Boolean control ecyprfs_t type under users encrypted directory. The Boolean control granularity is coarse, such as xserver, Mozilla, chrome applications setting policy, while related to the home user domain gives the
ecryptfs_t object to operate and manage permissions. In the configuration of the ecryptfs_t type to control encrypted user home directory method has following problems :
1> ecryptfs user home directory only ecryptfs_t type, can not be distinguished by type between different applications under the user home
directory, so that use_ecryptfs_home_dirs Boolean control permission is too big.
2> if user home directory add new applications, you will need to supplement the application policy of ecryptfs_t type, while not directly use the existing policy that is used under the unencrypted user home directory.
To solve these problems, I have a idea that we can use 'semanage fcontext' command to realize ecrytfs user home directory and unencrypted user home directory shared control policy.
Actually, using the ecryptfs user home directory is to operate the encrypted directory (/home/.ecryptfs/$USER_NAME/. Pravite) . The files under encrypted directory and ecryptfs mounted point directory (/home/$USER_NAME/) are one to one. With the following commands, the
ecryptfs user home directory (but filenames aren't be encrypted) can be labelled with the unencrypted user home directory security context.
# semanage fcontext -a -e /home/$USER_NAME /home/.ecryptfs/$USER_NAME/.Private# restorecon -RFv /home/.ecryptfs/$USER_NAME/.Private# restorecon -R -v /home/.ecryptfs/
The ecryptfs does not encrypt user home directory filenames and only encypted file contents case, this method can realize to use common user home directory policy, better than the existing 'user_ecryptfs_home_dirs' boolean control.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20131101/f9d8fff5/attachment.html
This is posted to the wrong maillist i believe since i do not think
refpolicy support ecryptfs at all yet
I think you may be confusing refpolicy with the fedora selinux-policy
derivative
On Fri, 2013-11-01 at 09:58 +0800, AndrewYang wrote:
> Because Ecryptfs does not support xattr, so a variety of application control type under ecryptfs user home is replaced by ecryptfs_t. In the
> serepolicy-3.12.1 version, The 'use_ecryptfs_home_dirs' Boolean control ecyprfs_t type under users encrypted directory. The Boolean control granularity is coarse, such as xserver, Mozilla, chrome applications setting policy, while related to the home user domain gives the
> ecryptfs_t object to operate and manage permissions. In the configuration of the ecryptfs_t type to control encrypted user home directory method has following problems :
> 1> ecryptfs user home directory only ecryptfs_t type, can not be distinguished by type between different applications under the user home
> directory, so that use_ecryptfs_home_dirs Boolean control permission is too big.
> 2> if user home directory add new applications, you will need to supplement the application policy of ecryptfs_t type, while not directly use the existing policy that is used under the unencrypted user home directory.
> To solve these problems, I have a idea that we can use 'semanage fcontext' command to realize ecrytfs user home directory and unencrypted user home directory shared control policy.
> Actually, using the ecryptfs user home directory is to operate the encrypted directory (/home/.ecryptfs/$USER_NAME/. Pravite) . The files under encrypted directory and ecryptfs mounted point directory (/home/$USER_NAME/) are one to one. With the following commands, the
> ecryptfs user home directory (but filenames aren't be encrypted) can be labelled with the unencrypted user home directory security context.
> # semanage fcontext -a -e /home/$USER_NAME /home/.ecryptfs/$USER_NAME/.Private# restorecon -RFv /home/.ecryptfs/$USER_NAME/.Private# restorecon -R -v /home/.ecryptfs/
> The ecryptfs does not encrypt user home directory filenames and only encypted file contents case, this method can realize to use common user home directory policy, better than the existing 'user_ecryptfs_home_dirs' boolean control.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy