From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 27 May 2009 11:56:17 -0400
Subject: [refpolicy] appconfig-mcs_default_contexts.patch
In-Reply-To: <4A1D6075.2010208@redhat.com>
References: <4A156664.5030701@redhat.com> <1243430190.5421.8.camel@gorn>
	<4A1D5B76.2000603@redhat.com> <1243438786.5421.52.camel@gorn>
	<4A1D6075.2010208@redhat.com>
Message-ID: <1243439779.5421.73.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2009-05-27 at 11:47 -0400, Daniel J Walsh wrote:
> On 05/27/2009 11:39 AM, Christopher J. PeBenito wrote:
> > On Wed, 2009-05-27 at 11:25 -0400, Daniel J Walsh wrote:
> >> On 05/27/2009 09:16 AM, Christopher J. PeBenito wrote:
> >>> On Thu, 2009-05-21 at 10:34 -0400, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_default_contexts.patch
> >>>>
> >>>> default context file should have one default context all of the other
> >>>> types should be broken out into the users directory.
> >>> I disagree.  We need defaults that work.
> >>>
> >> But the defaults are in the individual files which we now ship.  So as I
> >> add new user ABC_U type I need to provide a
> >> /etc/selinux/targeted/contexts/users/ABC_U
> >>
> >> And defaults_context will not work for that user if the ABC_U file is
> >> not there.  So it will not Just work.
> >
> > If there is no default contexts specific to the seuser, the general
> > default_contexts will be used.  It will cover people who want to add
> > their own seuser but don't add a seuser-specific default_contexts.  It
> > doesn't hurt to have all of these entries in the general
> > default_contexts since all of the valid contexts are defined in policy.
> >
> But it doesn't help, and you end up with invalid context listed if you 
> do not have that user type defined.

It doesn't hurt.  The libraries have handled it for a very long time.

> So if I don't have unconfined_t or sysadm_t I end up with a bogus listing.

I'm not sure what you are saying.  You would have to be missing all
standard roles to not be able to log in.

> I actually would get rid of the file altogether and force all user
> types to have a user context file.

That would be an argument for the SELinux list as that affects the
libraries.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150