From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 21 Mar 2011 10:44:34 -0400
Subject: [refpolicy] [patch 2/2] namespace: new policy for
	namespace.init script
In-Reply-To: <4D6F7117.9050207@redhat.com>
References: <4D6F7117.9050207@redhat.com>
Message-ID: <4D876452.4060201@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/03/11 05:44, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/apps_namespace_p2.patch
> 
>     * adds polydomain attribute for login programs

I'm unsure why this is necessary.

>     * namespace.init runs restorecon
>     * make ssh_home_t parent of polyinstantiated directory since
> pam_namespace.so can be used for ssh

I don't think I follow.  Wouldn't the whole home directory be
polyinstantiated, not just the .ssh dir?

>     * make user_tmp_t parent of polyinstantiated directory

This also seems odd.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com