Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-15 Thread wenzong fan
On 01/15/2018 10:33 PM, José Bollo wrote: On Wed, 10 Jan 2018 17:50:19 +0800 wenzong fan wrote: On 01/10/2018 01:01 AM, Patrick Ohly wrote: On Fri, 2018-01-05 at 01:07 +, Fan, Wenzong wrote: It works and will override the labels of home dir that SELinux

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-15 Thread Patrick Ohly
On Mon, 2018-01-15 at 15:33 +0100, José Bollo wrote: > A possibility would be to filter the copied extended attributes. For > SELinux we can just tell to not copy "security" attributes. See > manual of the command "tar" (recent version) that has options > --xattrs-exclude and --xattr-include. > >

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-15 Thread José Bollo
On Wed, 10 Jan 2018 17:50:19 +0800 wenzong fan wrote: > On 01/10/2018 01:01 AM, Patrick Ohly wrote: > > On Fri, 2018-01-05 at 01:07 +, Fan, Wenzong wrote: > >> It works and will override the labels of home dir that SELinux > >> applied, that's the issue. > >> >

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-10 Thread Patrick Ohly
On Tue, 2018-01-09 at 11:51 -0600, Mark Hatle wrote: > On 1/4/18 4:41 AM, Patrick Ohly wrote: > > On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote: > > > > Do you agree to move the patch to Smack specific layer? Such > > > > as  > > > > meta-security? > > > > > > I agree. > > > > Layers like

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-10 Thread wenzong fan
On 01/10/2018 01:01 AM, Patrick Ohly wrote: On Fri, 2018-01-05 at 01:07 +, Fan, Wenzong wrote: It works and will override the labels of home dir that SELinux applied, that's the issue. For SELinux enabled system, the user's home dir should have lavel 'user_home_dir_t' instead of 'etc_t',

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-09 Thread Mark Hatle
On 1/4/18 4:41 AM, Patrick Ohly wrote: > On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote: >>> Do you agree to move the patch to Smack specific layer? Such as  >>> meta-security? >> >> I agree. > > Layers like meta-security should not modify recipes from other layers, > at least not by

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-09 Thread Patrick Ohly
On Fri, 2018-01-05 at 01:07 +, Fan, Wenzong wrote: > It works and will override the labels of home dir that SELinux > applied, that's the issue. > > For SELinux enabled system, the user's home dir should have lavel > 'user_home_dir_t' instead of 'etc_t', it prevents users from creating >

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-04 Thread Fan, Wenzong
From: Patrick Ohly [patrick.o...@intel.com] Sent: Thursday, January 04, 2018 7:50 PM To: Fan, Wenzong; José Bollo Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes On Thu, 2018-01-04 at 19:39 +0800, wenzong

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-04 Thread Patrick Ohly
On Thu, 2018-01-04 at 19:39 +0800, wenzong fan wrote: > If so, I think we should wrapper the logic with: > > +#if defined(WITH_ATTR) && !defined(WITH_SELINUX) > +  attr_copy_file (def_template, user_home, NULL, NULL); > +#endif Does attr_copy_file fail when SELinux is active? In other words,

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-04 Thread wenzong fan
On 01/04/2018 06:41 PM, Patrick Ohly wrote: On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote: Do you agree to move the patch to Smack specific layer? Such as meta-security? I agree. Layers like meta-security should not modify recipes from other layers, at least not by default. That

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-04 Thread Patrick Ohly
On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote: > > Do you agree to move the patch to Smack specific layer? Such as  > > meta-security? > > I agree. Layers like meta-security should not modify recipes from other layers, at least not by default. That would violate the "Yocto Compatible 2.0"

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-04 Thread José Bollo
On Thu, 4 Jan 2018 17:28:27 +0800 wenzong fan wrote: > Hi José Bollo, > > This will override the labels of user's home directories that set by > SELinux. > > For example, if I run below command on SELinux enabled system: > > $ useradd test > > SELinux will label

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-04 Thread wenzong fan
On 01/04/2018 05:28 PM, wenzong fan wrote: Hi José Bollo, This will override the labels of user's home directories that set by SELinux. For example, if I run below command on SELinux enabled system: $ useradd test Sorry for the typo: s/test/t1/g to match with strace logs. // Wenzong

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2018-01-04 Thread wenzong fan
Hi José Bollo, This will override the labels of user's home directories that set by SELinux. For example, if I run below command on SELinux enabled system: $ useradd test SELinux will label it as "user_u:object_r:user_home_dir_t:SystemLow" first, and then useradd will reset the label as

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2017-03-15 Thread José Bollo
On Thu, 09 Mar 2017 18:18:05 +0100 Patrick Ohly wrote: > On Thu, 2017-03-09 at 17:48 +0100, José Bollo wrote: > > On Thu, 09 Mar 2017 17:07:54 +0100 > > Patrick Ohly wrote: > > > Can't you reorder and rebase the patches so that this > > >

[OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2017-03-13 Thread jobol
From: José Bollo The copy of extended attributes is interesting for Smack systems because it allows to set the security template of the user's home directories without modifying the tools (useradd here). But the version of useradd that copies the extended attributes doesn't

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2017-03-09 Thread Patrick Ohly
On Thu, 2017-03-09 at 17:48 +0100, José Bollo wrote: > On Thu, 09 Mar 2017 17:07:54 +0100 > Patrick Ohly wrote: > > Can't you reorder and rebase the patches so that this > > 0001-useradd.c-create-parent-directories-when-necessary.patch applies > > on top of the patch which

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2017-03-09 Thread José Bollo
On Thu, 09 Mar 2017 17:07:54 +0100 Patrick Ohly wrote: > On Thu, 2017-03-09 at 15:07 +0100, jo...@nonadev.net wrote: > > From: José Bollo > > > > The copy of extended attributes is interesting for > > Smack systems because it allows to set the

Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2017-03-09 Thread Patrick Ohly
On Thu, 2017-03-09 at 15:07 +0100, jo...@nonadev.net wrote: > From: José Bollo > > The copy of extended attributes is interesting for > Smack systems because it allows to set the security > template of the user's home directories without > modifying the tools (useradd here).

[OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

2017-03-09 Thread jobol
From: José Bollo The copy of extended attributes is interesting for Smack systems because it allows to set the security template of the user's home directories without modifying the tools (useradd here). But the version of useradd that copies the extended attributes doesn't