how to use the options "-P,--prefix" for the comand semanage

Dominick Grift domg472 at gmail.com
Mon Jul 4 12:38:59 UTC 2011 


On Mon, 2011-07-04 at 20:22 +0800, Benedict S wrote:
> The manpage of semanage says that "SELinux Prefix.Prefix added to home_dir_t
> and home_t for labeling users home directories.",but i don't know how to use
> it .Is there anyone to help me? thanks.

This option was used for rbacsep and is no longer applicable.

You can use "-P user" for all your SELinux users.

rbacsep support was dropped from reference policy a while ago and a new
functionality called ubac was introduced instead.

However Fedora decided to disable the ubac functionality by default.

Basically the old rbacsep and the new ubac allows for the separation of
the various SELinux users.

The way rbacsep would do that was to allow you to define user prefixes,
So for example a prefix for a myuser_u SELinux user could be myuser,
then the user home dir types would be prefixed (/home/myuser ->
myuser_home_dir_t, instead of user_home_dir_t) and user home content
would be labelled myuser_home_t (instead of user_home_t)

That would allow one to define policy based on these types. For example
myuser_u can access myuser_home_dir_t but not youruser_home_dir_t.

So separation of SELinux users home spaces by using type enforcement.

Ubac allows for similar separation ( and more ) by using the SELinux
user identity field (first field in the security context tuple) instead
of using type enforcement to achieve this it uses policy constraints
(policy constraints are also used for MLS and MCS)

basically the way this works is by comparing the first field of the
security context of the source of an interaction to the first field of
the security context of an targeting in an interaction.

so: myuser_u:myuser_r:myuser_t:s0 can read
myuser_u:object_r:user_home_t:s0 files, but not
youruser_u:object_r:user_home_t:s0 files.

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110704/eecc0b4d/attachment.bin

More information about the selinux mailing list