<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Dne 15.11.2013 09:07, AndrewYang
napsal(a):<br>
</div>
<blockquote
cite="mid:674adee4-12d2-4aef-85af-849215ae0ff5@aliyun.com"
type="cite">
<div class="__aliyun_email_body_block">
<div><br>
</div>
<div class="__aliyun_previous_quote">
<div>Because Ecryptfs does not support xattr, so a variety of
application control type under ecryptfs user home is
replaced by ecryptfs_t. In the<br>
<div class="__aliyun_previous_quote">
<div>
<div> serepolicy-3.12.1 version, The
'use_ecryptfs_home_dirs' Boolean control ecyprfs_t
type under users encrypted directory. The Boolean
control granularity is coarse, such as xserver,
Mozilla, chrome applications setting policy, while
related to the home user domain gives the <br>
ecryptfs_t object to operate and manage permissions.
In the configuration of the ecryptfs_t type to control
encrypted user home directory method has following
problems :</div>
<div><br>
</div>
<div>1> ecryptfs user home directory only ecryptfs_t
type, can not be distinguished by type between
different applications under the user home<br>
directory, so that use_ecryptfs_home_dirs Boolean
control permission is too big.</div>
<div><br>
</div>
<div>2> if user home directory add new applications,
you will need to supplement the application policy of
ecryptfs_t type, while not directly use the existing
policy that is used under the unencrypted user home
directory. </div>
<div><br>
</div>
<div>To solve these problems, I have a idea that we can
use 'semanage fcontext' command to realize ecrytfs
user home directory and unencrypted user home
directory shared control policy.</div>
<div><br>
</div>
<div>Actually, using the ecryptfs user home directory is
to operate the encrypted directory
(/home/.ecryptfs/$USER_NAME/. Pravite) . The files
under encrypted directory and ecryptfs mounted point
directory (/home/$USER_NAME/) are one to one. With the
following commands, the <br>
ecryptfs user home directory (but filenames aren't be
encrypted) can be labelled with the unencrypted user
home directory security context.</div>
<div><br>
</div>
<div># semanage fcontext -a -e /home/$USER_NAME
/home/.ecryptfs/$USER_NAME/.Private</div>
<div># restorecon -RFv
/home/.ecryptfs/$USER_NAME/.Private</div>
<div># restorecon -R -v /home/.ecryptfs/</div>
<div><br>
</div>
<div class="__aliyun_signature_wrap">The ecryptfs does
not encrypt user home directory filenames and only
encypted file contents case, this method can realize
to use common user home directory policy, better than
the existing 'user_ecryptfs_home_dirs' boolean
control.<br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
There is a story <br>
<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=712048">https://bugzilla.redhat.com/show_bug.cgi?id=712048</a><br>
<span class="quote"><br>
ecryptfs-migrate-home </span>is supposed to run<br>
<br>
<pre># restorecon -R -v $HOME/$USER
# semanage fcontext -a -e /home /home/.ecryptfs
# restorecon -R -v $HOME/.ecrypfs/$USER</pre>
<br>
before $HOME/.ecrypfs/$USER is created. So<br>
<br>
<pre>$ matchpathcon /home/.ecryptfs/mgrepl
/home/.ecryptfs/mgrepl unconfined_u:object_r:user_home_t:s0
$matchpathcon /home/mgrepl/.ecryptfs
/home/mgrepl/.ecryptfs        unconfined_u:object_r:ecryptfs_t:s0
</pre>
<span class="quote"> </span><br>
is the labeling what is supposed to be.<br>
<br>
Regards,<br>
Miroslav<br>
</body>
</html>