From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 22 Mar 2011 08:25:52 -0400
Subject: [refpolicy] [patch 2/2] namespace: new policy
 for	namespace.init script
In-Reply-To: <4D876452.4060201@tresys.com>
References: <4D6F7117.9050207@redhat.com> <4D876452.4060201@tresys.com>
Message-ID: <4D889550.1030803@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/21/2011 10:44 AM, Christopher J. PeBenito wrote:
> On 03/03/11 05:44, Miroslav Grepl wrote:
>> http://mgrepl.fedorapeople.org/F15/apps_namespace_p2.patch
>>
>>     * adds polydomain attribute for login programs
> 
> I'm unsure why this is necessary.
> 
>>     * namespace.init runs restorecon
>>     * make ssh_home_t parent of polyinstantiated directory since
>> pam_namespace.so can be used for ssh
> 
> I don't think I follow.  Wouldn't the whole home directory be
> polyinstantiated, not just the .ssh dir?
> 
>>     * make user_tmp_t parent of polyinstantiated directory
> 
> This also seems odd.
> 
> 


Lets examine what is going on.  We want to allow the login programs to
populate a newly created directory from /etc/skel with proper labelling.
 If the admin puts /etc/skel/.ssh then this directory needs to be
created by namespace.init with ssh_home_t.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2IlVAACgkQrlYvE4MpobOedACdGyOxOGaCDh0yOB6ZR5Y+H+l3
S2gAn0KznF2knaYqioTEpwy1K0uRtzsX
=x2t/
-----END PGP SIGNATURE-----