selinux Digest, Vol 117, Issue 1
selinux-request at lists.fedoraproject.org
selinux-request at lists.fedoraproject.org
Fri Nov 1 12:00:04 UTC 2013
Send selinux mailing list submissions to
selinux at lists.fedoraproject.org
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/selinux
or, via email, send a message with subject or body 'help' to
selinux-request at lists.fedoraproject.org
You can reach the person managing the list at
selinux-owner at lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of selinux digest..."
Today's Topics:
1. issue on deleting a SELinux costumized user (Leonidas S. Barbosa)
2. Re: what do we do with user_home_t, and what more could we do
with it? (Miroslav Grepl)
3. Re: what do we do with user_home_t, and what more could we do
with it? (Dominick Grift)
----------------------------------------------------------------------
Message: 1
Date: Thu, 31 Oct 2013 17:46:14 -0200
From: "Leonidas S. Barbosa" <leosilva at linux.vnet.ibm.com>
To: selinux at lists.fedoraproject.org
Cc: Daniel J Walsh <dwalsh at redhat.com>
Subject: issue on deleting a SELinux costumized user
Message-ID: <20131031194612.GA26741 at bluepex.com>
Content-Type: text/plain; charset=utf-8
I was trying to delete an user with seobject.seluserRecords.delete,
but I realized that once I have a SELinux user created with
seobject.seluserRecords.add method deleted when I try to use
.add again to creates another one I grab the follow
error message:
libsemanage.validate_handler: selinux user se_auditadm_u does not exist (No
such file or directory).
libsemanage.validate_handler: seuser mapping [se_auditadm_u -> (se_auditadm_u,
s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such
file or directory).
The only way I found to fix it was deleting some lines related to
the user was deleted in :
/etc/selinux/targeted/modules/active/seusers and seusers.final.
I'm wondering if I'm doing something wrong or if has a better way to do
that.
Thanks in advance.
Leonidas.
------------------------------
Message: 2
Date: Fri, 01 Nov 2013 10:41:34 +0100
From: Miroslav Grepl <mgrepl at redhat.com>
To: Dominick Grift <dominick.grift at gmail.com>
Cc: Daniel J Walsh <dwalsh at redhat.com>,
selinux at lists.fedoraproject.org
Subject: Re: what do we do with user_home_t, and what more could we do
with it?
Message-ID: <5273774E.4030001 at redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 10/30/2013 05:07 PM, Dominick Grift wrote:
> On Wed, 2013-10-30 at 11:53 -0400, Daniel J Walsh wrote:
>
>> Well in this case I would like to potentially run these container/apps with
>> Types like firefox_t and ooffice_t, but more generically with app_t where
>> app_t is not allowed to touch user_home_t.
>>
>> But we are going far a field of this email chain, and we can revisit this when
>> we actually have applications containers.
>>
>>
> Sure, we will see, and yes i guess containers in Gnome are inevitable
> anyways (what about other DE's). I think, but you probably already know
> that, that we should not try to prevent access to the generic user home
> content type user_home_t, but instead classify everything that is not
> generic.
And do you think it is really possible?
>
> Anyways the difference is that i have integrity enforcement on the
> desktop currently implemented (albeit somewhat limited), and what you
> are suggesting is something that might work in a distant future.
>
> </thread>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
------------------------------
Message: 3
Date: Fri, 01 Nov 2013 11:52:12 +0100
From: Dominick Grift <dominick.grift at gmail.com>
To: Miroslav Grepl <mgrepl at redhat.com>
Cc: Daniel J Walsh <dwalsh at redhat.com>,
selinux at lists.fedoraproject.org
Subject: Re: what do we do with user_home_t, and what more could we do
with it?
Message-ID: <1383303132.2922.12.camel at d30>
Content-Type: text/plain; charset="UTF-8"
On Fri, 2013-11-01 at 10:41 +0100, Miroslav Grepl wrote:
> On 10/30/2013 05:07 PM, Dominick Grift wrote:
>> On Wed, 2013-10-30 at 11:53 -0400, Daniel J Walsh wrote:
>>
>>> Well in this case I would like to potentially run these container/apps with
>>> Types like firefox_t and ooffice_t, but more generically with app_t where
>>> app_t is not allowed to touch user_home_t.
>>>
>>> But we are going far a field of this email chain, and we can revisit this when
>>> we actually have applications containers.
>>>
>>>
>> Sure, we will see, and yes i guess containers in Gnome are inevitable
>> anyways (what about other DE's). I think, but you probably already know
>> that, that we should not try to prevent access to the generic user home
>> content type user_home_t, but instead classify everything that is not
>> generic.
> And do you think it is really possible?
>>
"I have proof that it is possible, if one sets clear goals, boundaries,
and realistic expectations."
Confining the user space not that different from confining the system
space. Its just a lot more work to maintain and more error prone,
because there is more interactivity, and things change more frequently
in the the user space
But if you set clear goals, and clear boundaries (as to what you support
and what not), then yes, i know its possible because i implemented it
The same goes for the system space, we also set boundaries there. "This
we can, and will support, and anything else not"
------------------------------
--
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
End of selinux Digest, Vol 117, Issue 1
***************************************
More information about the selinux
mailing list