From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 07 Jun 2010 09:46:45 -0400 Subject: [refpolicy] kernel_domain.patch In-Reply-To: <4C0CF3CC.60807@redhat.com> References: <4C06BD01.3000706@redhat.com> <1275658792.809.49.camel@gorn.columbia.tresys.com> <4C090511.3070601@redhat.com> <1275915086.809.86.camel@gorn.columbia.tresys.com> <4C0CF3CC.60807@redhat.com> Message-ID: <1275918405.809.98.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2010-06-07 at 09:27 -0400, Daniel J Walsh wrote: > On 06/07/2010 08:51 AM, Christopher J. PeBenito wrote: > > On Fri, 2010-06-04 at 09:52 -0400, Daniel J Walsh wrote: > >> On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote: > >>> On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote: > >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch > >>>> > >>>> Fix interface descriptions > >>>> > >>>> Lots of new domains. > >>>> > >>>> Added polydomain > >>> > >>> What is the purpose of polydomain? > >>> > >> > >> If I have a polinstatiated homedir like on an MLS machine. When login > >> programs creates the homedir it needs to populate it with content from > >> /etc/skel. When it does this, it needs to relabel it to user homedir > >> content. > > > > That sounds like rules in auth_login_pgm_domain() that should already > > exist. > > > >> tunable_policy(`allow_polyinstantiation',` > >> files_polyinstantiate_all(polydomain) > >> userdom_manage_user_home_content_dirs(polydomain) > >> userdom_manage_user_home_content_files(polydomain) > >> userdom_relabelto_user_home_dirs(polydomain) > >> userdom_relabelto_user_home_files(polydomain) > >> ' > > > The rules do not exist there currently other then > files_polyinstantiate_all(polydomain) > > We could move this there or eliminate it and use the attribute save > hundreds/thousands of rules. I'd prefer it as part of the auth_login_pgm_domain(), since that is what the concept is. If you want to look at turning that interface into an attribute with rules in authlogin.te then that would be fine. If you're that concerned about the rule count, perhaps you could convince Red Hat to invest some time in an optimizing policy compiler? :) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com