Because Ecryptfs does not support xattr, so a variety of application
control type under ecryptfs user home is replaced by ecryptfs_t. In the
serepolicy-3.12.1 version, The 'use_ecryptfs_home_dirs' Boolean
control ecyprfs_t type under users encrypted directory. The Boolean
control granularity is coarse, such as xserver, Mozilla, chrome
applications setting policy, while related to the home user domain
gives the
ecryptfs_t object to operate and manage permissions. In the
configuration of the ecryptfs_t type to control encrypted user home
directory method has following problems :
1> ecryptfs user home directory only ecryptfs_t type, can not be
distinguished by type between different applications under the user home
directory, so that use_ecryptfs_home_dirs Boolean control permission
is too big.
2> if user home directory add new applications, you will need to
supplement the application policy of ecryptfs_t type, while not
directly use the existing policy that is used under the unencrypted
user home directory.
To solve these problems, I have a idea that we can use 'semanage
fcontext' command to realize ecrytfs user home directory and
unencrypted user home directory shared control policy.
Actually, using the ecryptfs user home directory is to operate the
encrypted directory (/home/.ecryptfs/$USER_NAME/. Pravite) . The files
under encrypted directory and ecryptfs mounted point directory
(/home/$USER_NAME/) are one to one. With the following commands, the
ecryptfs user home directory (but filenames aren't be encrypted) can
be labelled with the unencrypted user home directory security context.
# semanage fcontext -a -e /home/$USER_NAME
/home/.ecryptfs/$USER_NAME/.Private
# restorecon -RFv /home/.ecryptfs/$USER_NAME/.Private
# restorecon -R -v /home/.ecryptfs/
The ecryptfs does not encrypt user home directory filenames and only
encypted file contents case, this method can realize to use common
user home directory policy, better than the existing
'user_ecryptfs_home_dirs' boolean control.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
ecryptfs-migrate-home is supposed to run
# restorecon -R -v $HOME/$USER
# semanage fcontext -a -e /home /home/.ecryptfs
# restorecon -R -v $HOME/.ecrypfs/$USER
before $HOME/.ecrypfs/$USER is created. So
$ matchpathcon /home/.ecryptfs/mgrepl
/home/.ecryptfs/mgrepl unconfined_u:object_r:user_home_t:s0
$matchpathcon /home/mgrepl/.ecryptfs
/home/mgrepl/.ecryptfs unconfined_u:object_r:ecryptfs_t:s0
is the labeling what is supposed to be.
Regards,
Miroslav