On 01/15/2018 10:33 PM, José Bollo wrote:
On Wed, 10 Jan 2018 17:50:19 +0800
wenzong fan wrote:
On 01/10/2018 01:01 AM, Patrick Ohly wrote:
On Fri, 2018-01-05 at 01:07 +, Fan, Wenzong wrote:
It works and will override the labels of home dir that SELinux
On Mon, 2018-01-15 at 15:33 +0100, José Bollo wrote:
> A possibility would be to filter the copied extended attributes. For
> SELinux we can just tell to not copy "security" attributes. See
> manual of the command "tar" (recent version) that has options
> --xattrs-exclude and --xattr-include.
>
>
On Wed, 10 Jan 2018 17:50:19 +0800
wenzong fan wrote:
> On 01/10/2018 01:01 AM, Patrick Ohly wrote:
> > On Fri, 2018-01-05 at 01:07 +, Fan, Wenzong wrote:
> >> It works and will override the labels of home dir that SELinux
> >> applied, that's the issue.
> >>
>
On Tue, 2018-01-09 at 11:51 -0600, Mark Hatle wrote:
> On 1/4/18 4:41 AM, Patrick Ohly wrote:
> > On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote:
> > > > Do you agree to move the patch to Smack specific layer? Such
> > > > as
> > > > meta-security?
> > >
> > > I agree.
> >
> > Layers like
On 01/10/2018 01:01 AM, Patrick Ohly wrote:
On Fri, 2018-01-05 at 01:07 +, Fan, Wenzong wrote:
It works and will override the labels of home dir that SELinux
applied, that's the issue.
For SELinux enabled system, the user's home dir should have lavel
'user_home_dir_t' instead of 'etc_t',
On 1/4/18 4:41 AM, Patrick Ohly wrote:
> On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote:
>>> Do you agree to move the patch to Smack specific layer? Such as
>>> meta-security?
>>
>> I agree.
>
> Layers like meta-security should not modify recipes from other layers,
> at least not by
On Fri, 2018-01-05 at 01:07 +, Fan, Wenzong wrote:
> It works and will override the labels of home dir that SELinux
> applied, that's the issue.
>
> For SELinux enabled system, the user's home dir should have lavel
> 'user_home_dir_t' instead of 'etc_t', it prevents users from creating
>
From: Patrick Ohly [patrick.o...@intel.com]
Sent: Thursday, January 04, 2018 7:50 PM
To: Fan, Wenzong; José Bollo
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended
attributes
On Thu, 2018-01-04 at 19:39 +0800, wenzong
On Thu, 2018-01-04 at 19:39 +0800, wenzong fan wrote:
> If so, I think we should wrapper the logic with:
>
> +#if defined(WITH_ATTR) && !defined(WITH_SELINUX)
> + attr_copy_file (def_template, user_home, NULL, NULL);
> +#endif
Does attr_copy_file fail when SELinux is active? In other words,
On 01/04/2018 06:41 PM, Patrick Ohly wrote:
On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote:
Do you agree to move the patch to Smack specific layer? Such as
meta-security?
I agree.
Layers like meta-security should not modify recipes from other layers,
at least not by default. That
On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote:
> > Do you agree to move the patch to Smack specific layer? Such as
> > meta-security?
>
> I agree.
Layers like meta-security should not modify recipes from other layers,
at least not by default. That would violate the "Yocto Compatible 2.0"
On Thu, 4 Jan 2018 17:28:27 +0800
wenzong fan wrote:
> Hi José Bollo,
>
> This will override the labels of user's home directories that set by
> SELinux.
>
> For example, if I run below command on SELinux enabled system:
>
> $ useradd test
>
> SELinux will label
On 01/04/2018 05:28 PM, wenzong fan wrote:
Hi José Bollo,
This will override the labels of user's home directories that set by
SELinux.
For example, if I run below command on SELinux enabled system:
$ useradd test
Sorry for the typo: s/test/t1/g to match with strace logs.
// Wenzong
Hi José Bollo,
This will override the labels of user's home directories that set by
SELinux.
For example, if I run below command on SELinux enabled system:
$ useradd test
SELinux will label it as "user_u:object_r:user_home_dir_t:SystemLow"
first, and then useradd will reset the label as
On Thu, 09 Mar 2017 18:18:05 +0100
Patrick Ohly wrote:
> On Thu, 2017-03-09 at 17:48 +0100, José Bollo wrote:
> > On Thu, 09 Mar 2017 17:07:54 +0100
> > Patrick Ohly wrote:
> > > Can't you reorder and rebase the patches so that this
> > >
From: José Bollo
The copy of extended attributes is interesting for
Smack systems because it allows to set the security
template of the user's home directories without
modifying the tools (useradd here). But the version
of useradd that copies the extended attributes doesn't
On Thu, 2017-03-09 at 17:48 +0100, José Bollo wrote:
> On Thu, 09 Mar 2017 17:07:54 +0100
> Patrick Ohly wrote:
> > Can't you reorder and rebase the patches so that this
> > 0001-useradd.c-create-parent-directories-when-necessary.patch applies
> > on top of the patch which
On Thu, 09 Mar 2017 17:07:54 +0100
Patrick Ohly wrote:
> On Thu, 2017-03-09 at 15:07 +0100, jo...@nonadev.net wrote:
> > From: José Bollo
> >
> > The copy of extended attributes is interesting for
> > Smack systems because it allows to set the
On Thu, 2017-03-09 at 15:07 +0100, jo...@nonadev.net wrote:
> From: José Bollo
>
> The copy of extended attributes is interesting for
> Smack systems because it allows to set the security
> template of the user's home directories without
> modifying the tools (useradd here).
From: José Bollo
The copy of extended attributes is interesting for
Smack systems because it allows to set the security
template of the user's home directories without
modifying the tools (useradd here). But the version
of useradd that copies the extended attributes doesn't
20 matches
Mail list logo