Fedora UBAC feature

Dominick Grift domg472 at gmail.com
Thu Sep 16 16:49:41 UTC 2010 

On 09/16/2010 06:41 PM, Roberto Sassu wrote:
> I have successfully rebuilt the policy with UBAC turned on. 
> Now, I'm writing a policy to define some new types for user's files and i need to setup 
> file contexts for every user in the platform.
> I see that the file file_contexts.homedirs uses a template in order to determine what  rules must be 
> added each time a new user is created.
> Does it is possible to add new rules in this template from a custom policy module or 
> i need to recompile the entire policy with my modifications?
> Thanks.

Try it, but i think you may have to recompile the entire policy with
your modifications.

echo "policy_module(test,1.0) type bla_home_t;
userdom_user_home_content(bla_home_t)" > test.te;
echo "HOME_DIR/\.bla_test.txt --
gen_context(system_u:object_r:bla_home_t,s0" > test.fc;
make -f /usr/share/selinux/devel/Makefile test.pp
sudo semodule -i test.pp
matchpathcon ~/.bla_test.txt

> 
> On Wednesday 15 September 2010 11:57:31 Dominick Grift wrote:
>> On 09/15/2010 11:23 AM, Roberto Sassu wrote:
>>> On Wednesday 15 September 2010 10:50:44 Roberto Sassu wrote:
>>>> Hi all
>>>>
>>>> i want to use UBAC feature in order to isolate an user from each other. 
>>>> I created two users user1_u and user2_u mapped respectively to user1 and user2, and 
>>>> i assigned them the role user_r.
>>>> Then i created two directories 'a' and 'b' labeled respectively user1_u:object_r:user_home_t:s0 
>>>> and user2_u:object_r:user_home_t:s0. What i'm expecting is that user1 can access 'a' and not 'b', 
>>>> viceversa for user2, but user1 is allowed to access both directories.
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>
>>> Oh, sorry. I have not seen the UBAC variable is overwritten in the Fedora rpm spec file.
>>
>> Yes Fedora disabled it. It can be enabled by modifying the spec file and
>> rebuilding the rpm.
>>
>> I have it enabled and it works pretty good with some exceptions.
>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100916/57b12263/attachment.bin

More information about the selinux mailing list