Fedora UBAC feature
Roberto Sassu
roberto.sassu at polito.it
Thu Sep 16 16:41:51 UTC 2010
I have successfully rebuilt the policy with UBAC turned on.
Now, I'm writing a policy to define some new types for user's files and i need to setup
file contexts for every user in the platform.
I see that the file file_contexts.homedirs uses a template in order to determine what rules must be
added each time a new user is created.
Does it is possible to add new rules in this template from a custom policy module or
i need to recompile the entire policy with my modifications?
Thanks.
On Wednesday 15 September 2010 11:57:31 Dominick Grift wrote:
> On 09/15/2010 11:23 AM, Roberto Sassu wrote:
> > On Wednesday 15 September 2010 10:50:44 Roberto Sassu wrote:
> >> Hi all
> >>
> >> i want to use UBAC feature in order to isolate an user from each other.
> >> I created two users user1_u and user2_u mapped respectively to user1 and user2, and
> >> i assigned them the role user_r.
> >> Then i created two directories 'a' and 'b' labeled respectively user1_u:object_r:user_home_t:s0
> >> and user2_u:object_r:user_home_t:s0. What i'm expecting is that user1 can access 'a' and not 'b',
> >> viceversa for user2, but user1 is allowed to access both directories.
> >>
> >> --
> >> This message was distributed to subscribers of the selinux mailing list.
> >> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> >> the words "unsubscribe selinux" without quotes as the message.
> >>
> >
> > Oh, sorry. I have not seen the UBAC variable is overwritten in the Fedora rpm spec file.
>
> Yes Fedora disabled it. It can be enabled by modifying the spec file and
> rebuilding the rpm.
>
> I have it enabled and it works pretty good with some exceptions.
>
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
More information about the selinux
mailing list