From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Mar 2011 09:39:09 -0400
Subject: [refpolicy] [patch 2/2] namespace: new policy
 for	namespace.init script
In-Reply-To: <4D889550.1030803@redhat.com>
References: <4D6F7117.9050207@redhat.com> <4D876452.4060201@tresys.com>
	<4D889550.1030803@redhat.com>
Message-ID: <4D89F7FD.2060909@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/22/11 08:25, Daniel J Walsh wrote:
> On 03/21/2011 10:44 AM, Christopher J. PeBenito wrote:
>> On 03/03/11 05:44, Miroslav Grepl wrote:
>>> http://mgrepl.fedorapeople.org/F15/apps_namespace_p2.patch
>>>
>>>     * adds polydomain attribute for login programs
> 
>> I'm unsure why this is necessary.
> 
>>>     * namespace.init runs restorecon
>>>     * make ssh_home_t parent of polyinstantiated directory since
>>> pam_namespace.so can be used for ssh
> 
>> I don't think I follow.  Wouldn't the whole home directory be
>> polyinstantiated, not just the .ssh dir?
> 
>>>     * make user_tmp_t parent of polyinstantiated directory
> 
>> This also seems odd.
> 
> Lets examine what is going on.  We want to allow the login programs to
> populate a newly created directory from /etc/skel with proper labelling.
>  If the admin puts /etc/skel/.ssh then this directory needs to be
> created by namespace.init with ssh_home_t.

Yes, I know thats what happens.  I just got polydir and polyparent mixed up.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com