Policy for authenticating domain users
Dominick Grift
domg472 at gmail.com
Mon Feb 15 19:27:54 UTC 2010
On 02/15/2010 07:27 PM, Scott Salley wrote:
> I'm working on a set of patches to integrate Likewise Open (Active
> Directory authentication for Unix/Linux/Mac) into Fedora/SELinux.
>
>
>
> I am having trouble defining how a user's home directory should be
> handled.
>
>
>
> We don't place users directly in /home as the domain user account name
> may conflict with an existing account. Instead, we use /home/%D/%U
> where %D is the domain and %U is the user account. (We may have users
> with the same account name in different domains.)
>
>
>
> I want to make sure that if users are joined while SELinux is not
> enabled, and then SELinux is re-enabled, the files get the proper
> contexts.
>
>
>
> Suggestions?
I think that is problematic because of this file context specification
in /etc/selinux/targeted/contexts/files/file_contexts.homedirs:
/home/[^/]*/.+ guest_u:object_r:user_home_t:s0
That basically says label everything below /home/*/ with type
user_home_t i believe.
/home/[^/]* -d guest_u:object_r:user_home_dir_t:s0
This says label all directories below /home type user_home_dir_t i believe.
You want /home/domain and /home/domain/* user_home_dir_t i believe.
I think that would conflict with the current specification: i.e. should
it label /home/*/* user_home_t or user_home_dir_t?
If and when that imo fundamental issue is resolved it is just a matter
of cloning the entries from
/etc/selinux/targeted/contexts/files/file_contexts.homedirs i believe.
I will be interested what others opinion is on this matter as i might be
wrong.
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100215/69a77bef/attachment.bin
More information about the selinux
mailing list