This patch implements support for policies using RBACSEP in genhomedircon. It works by using an SELinux users "prefix" as the role in their homedir contexts. It seems that genhomedircon has previously supported something similar, as it'll currently replace the string "ROLE" with whatever a users prefix is. However, if using CIL we can't leverage this, since secilc will complain about the semantics of an invalid role named "ROLE" in a filecon statement.
Since there's no way for a CIL policy to tell genhomedircon whether a role should be replaced or not, a new "genhomedircon-rbacsep" option was added to /etc/selinux/semanage.conf. I'm not convinced that this is the best way to go about this. Maybe an initial role can be implicitly figured out using libsepol's API? Anyway, I've submitted this to see if there's any better options for supporting RBACSEP in home dir context generation. There was some previous discussion about this here for reference: http://oss.tresys.com/pipermail/refpolicy/2011-August/004417.html Gary Tierney (1): genhomedircon: support policies using RBACSEP libsemanage/src/conf-parse.y | 14 +++++++++++++- libsemanage/src/conf-scan.l | 1 + libsemanage/src/genhomedircon.c | 30 +++++++++++++++++++++++++++++- libsemanage/src/semanage_conf.h | 1 + 4 files changed, 44 insertions(+), 2 deletions(-) -- 2.4.11 _______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
