On 01/15/2018 10:33 PM, José Bollo wrote:
On Wed, 10 Jan 2018 17:50:19 +0800
wenzong fan <[email protected]> wrote:
On 01/10/2018 01:01 AM, Patrick Ohly wrote:
On Fri, 2018-01-05 at 01:07 +0000, Fan, Wenzong wrote:
It works and will override the labels of home dir that SELinux
applied, that's the issue.
For SELinux enabled system, the user's home dir should have lavel
'user_home_dir_t' instead of 'etc_t', it prevents users from
creating files in their home dir.
Sounds like the "copy xattr" function needs to become a bit
smarter: it needs to understand some of the semantic involved and
skip those SELinux xattrs that are always meant to be set
dynamically by the running kernel.
Wenzong, which xattrs are those? Do you agree with the proposed
solution?
The xattr for selinux is "security.selinux":
$ getfattr -n security.selinux /home/t1
security.selinux="user_u:object_r:user_home_dir_t:s0-s15:c0.c1023"
I think the "attr_copy_file()" is doing right thing, but it should be
used in a limited situation, such as only for Smack ...
Thanks
Wenzong
The LSM "SELinux" is complicated enough to change label of template
files to label of instance files correctly. The approach with Smack is
different and the template files embed the expected complex hierarchy
that otherwise could only be created with a program.
A possible approach would be with smack to add a program for creating
homes. Conversely, SELinux could consider to use template approach too
instead of increasing its rules set (with templating splitted in two
parts: files and "creation" rules).
From "man 7 xattr" we know:
- extended attributes are namespaced
- the fully qualified name is "namespace.attribute"
- actual namespaces are security, system, trusted, and user
A possibility would be to filter the copied extended attributes. For
SELinux we can just tell to not copy "security" attributes. See
manual of the command "tar" (recent version) that has options
--xattrs-exclude and --xattr-include.
Is there a need to copy extended attributes except for Smack?
I incline to limit the patch only for Smack with a proper bbappend, and
maybe we'll want a distro feature as well. Both enable SELinux and Smack
is not a normal use case, sometimes user choice Smack is because SELinux
is too weight for their system. (except for you know a case that Smack
can do but SELinux can't)
About how to get Smack and SELinux work together, I'm not sure if their
communities also considered about that. Only fix the xattr issue maybe
not enough ...
Thanks
Wenzong
Jose, can you look into updating your patch accordingly?
Perhaps yes but not now because I don't now what to do.
Best regards
Jose
--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core
