Policy for authenticating domain users

[Dominick Grift]

On 02/15/2010 07:27 PM, Scott Salley wrote:
> I'm working on a set of patches to integrate Likewise Open (Active
> Directory authentication for Unix/Linux/Mac) into Fedora/SELinux.
> 
>  
> 
> I am having trouble defining how a user's home directory should be
> handled.
> 
>  
> 
> We don't place users directly in /home as the domain user account name
> may conflict with an existing account. Instead, we use /home/%D/%U
> where %D is the domain and %U is the user account.  (We may have users
> with the same account name in different domains.)
> 
>  
> 
> I want to make sure that if users are joined while SELinux is not
> enabled, and then SELinux is re-enabled, the files get the proper
> contexts.
> 
>  
> 
> Suggestions?

I think that is problematic because of this file context specification
in /etc/selinux/targeted/contexts/files/file_contexts.homedirs:

/home/[^/]*/.+  guest_u:object_r:user_home_t:s0

That basically says label everything below /home/*/ with type
user_home_t i believe.

/home/[^/]*     -d      guest_u:object_r:user_home_dir_t:s0

This says label all directories below /home type user_home_dir_t i believe.

You want /home/domain and /home/domain/* user_home_dir_t i believe.

I think that would conflict with the current specification: i.e. should
it label /home/*/* user_home_t or user_home_dir_t?

If and when that imo fundamental issue is resolved it is just a matter
of cloning the entries from
/etc/selinux/targeted/contexts/files/file_contexts.homedirs i believe.

I will be interested what others opinion is on this matter as i might be
wrong.

> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100215/69a77bef/attachment.bin