On Mon, 2004-08-16 at 08:56 -0400, Stephen Smalley wrote:
> Fourth, the user domain needs access to user_home_dir_t:dir.
Should be $1_home_dir_t, right?
Actually that line can be scratched entirely, I think I just had the
user's home directory mislabled, obviously that part is broken.
> The fifth issue is access to /dev/pts. The comment above the
patch
> should explain things. Is there a better solution here?
If you want any protection between users, you need the separate types on
the ptys (and ttys).
Modulo DAC, you mean. I think in the targeted policy we're already
relying heavily on DAC for protection between users, and this isn't
really different.
But as above, you are likely to increasingly find
yourself transforming the targeted policy into the strict policy to
achieve real separation, so why not just use the strict policy?
I just run targeted policy on my laptop to test it, and I wanted to test
my hacks to the OpenSSH patch. I guess it seemed quicker to write a
patch to allow user creation in the targeted policy than to wait through
two relabels :)
It is a bit of a unique situation, so maybe it's not worth trying to
support user creation in the targeted policy. I just thought I'd send
my hack along in case it was found useful.