From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 07 Jun 2010 09:27:40 -0400
Subject: [refpolicy] kernel_domain.patch
In-Reply-To: <1275915086.809.86.camel@gorn.columbia.tresys.com>
References: <4C06BD01.3000706@redhat.com>	
	<1275658792.809.49.camel@gorn.columbia.tresys.com>	
	<4C090511.3070601@redhat.com>
	<1275915086.809.86.camel@gorn.columbia.tresys.com>
Message-ID: <4C0CF3CC.60807@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/07/2010 08:51 AM, Christopher J. PeBenito wrote:
> On Fri, 2010-06-04 at 09:52 -0400, Daniel J Walsh wrote:
>> On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote:
>>> On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
>>>>
>>>> Fix interface descriptions
>>>>
>>>> Lots of new domains.
>>>>
>>>> Added polydomain
>>>
>>> What is the purpose of polydomain?
>>>
>>
>> If I have a polinstatiated homedir like on an MLS machine.  When login
>> programs creates the homedir it needs to populate it with content from
>> /etc/skel.  When it does this, it needs to relabel it to user homedir
>> content.
>
> That sounds like rules in auth_login_pgm_domain() that should already
> exist.
>
>> tunable_policy(`allow_polyinstantiation',`
>> 	files_polyinstantiate_all(polydomain)
>> 	userdom_manage_user_home_content_dirs(polydomain)
>> 	userdom_manage_user_home_content_files(polydomain)
>> 	userdom_relabelto_user_home_dirs(polydomain)
>> 	userdom_relabelto_user_home_files(polydomain)
>> '
>
The rules do not exist there currently other then 
files_polyinstantiate_all(polydomain)

We could move this there or eliminate it and use the attribute save 
hundreds/thousands of rules.