selinux Digest, Vol 117, Issue 1

selinux-request at lists.fedoraproject.org selinux-request at lists.fedoraproject.org
Fri Nov 1 12:00:04 UTC 2013 

Send selinux mailing list submissions to
	selinux at lists.fedoraproject.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://admin.fedoraproject.org/mailman/listinfo/selinux
or, via email, send a message with subject or body 'help' to
	selinux-request at lists.fedoraproject.org

You can reach the person managing the list at
	selinux-owner at lists.fedoraproject.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of selinux digest..."


Today's Topics:

  1. issue on deleting a SELinux costumized user (Leonidas S. Barbosa)
  2. Re: what do we do with user_home_t, and what more could we do
     with it? (Miroslav Grepl)
  3. Re: what do we do with user_home_t, and what more could we do
     with it? (Dominick Grift)


----------------------------------------------------------------------

Message: 1
Date: Thu, 31 Oct 2013 17:46:14 -0200
From: "Leonidas S. Barbosa" <leosilva at linux.vnet.ibm.com>
To: selinux at lists.fedoraproject.org
Cc: Daniel J Walsh <dwalsh at redhat.com>
Subject: issue on deleting a SELinux costumized user
Message-ID: <20131031194612.GA26741 at bluepex.com>
Content-Type: text/plain; charset=utf-8


I was trying to delete an user with seobject.seluserRecords.delete,
but I realized that once I have a SELinux user created with
seobject.seluserRecords.add  method deleted when I try to use 
.add again to creates another one I grab the follow 
error message:

libsemanage.validate_handler: selinux user se_auditadm_u does not exist (No
such file or directory).
libsemanage.validate_handler: seuser mapping [se_auditadm_u -> (se_auditadm_u,
s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such
file or directory).


The only way I found to fix it was deleting some lines  related to
the user was deleted in :

/etc/selinux/targeted/modules/active/seusers and seusers.final.

I'm wondering if I'm doing something wrong or if has a better way to do
that.


Thanks in advance.
Leonidas.




------------------------------

Message: 2
Date: Fri, 01 Nov 2013 10:41:34 +0100
From: Miroslav Grepl <mgrepl at redhat.com>
To: Dominick Grift <dominick.grift at gmail.com>
Cc: Daniel J Walsh <dwalsh at redhat.com>,
	selinux at lists.fedoraproject.org
Subject: Re: what do we do with user_home_t, and what more could we do
	with it?
Message-ID: <5273774E.4030001 at redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 10/30/2013 05:07 PM, Dominick Grift wrote:
> On Wed, 2013-10-30 at 11:53 -0400, Daniel J Walsh wrote:
> 
>> Well in this case I would like to potentially run these container/apps with
>> Types like firefox_t and ooffice_t, but more generically with app_t where
>> app_t is not allowed to touch user_home_t.
>> 
>> But we are going far a field of this email chain, and we can revisit this when
>> we actually have applications containers.
>> 
>> 
> Sure, we will see, and yes i guess containers in Gnome are inevitable
> anyways (what about other DE's). I think, but you probably already know
> that, that we should not try to prevent access to the generic user home
> content type user_home_t, but instead classify everything that is not
> generic.
And do you think it is really possible?
> 
> Anyways the difference is that i have integrity enforcement on the
> desktop currently implemented (albeit somewhat limited), and what you
> are suggesting is something that might work in a distant future.
> 
> </thread>
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux



------------------------------

Message: 3
Date: Fri, 01 Nov 2013 11:52:12 +0100
From: Dominick Grift <dominick.grift at gmail.com>
To: Miroslav Grepl <mgrepl at redhat.com>
Cc: Daniel J Walsh <dwalsh at redhat.com>,
	selinux at lists.fedoraproject.org
Subject: Re: what do we do with user_home_t, and what more could we do
	with it?
Message-ID: <1383303132.2922.12.camel at d30>
Content-Type: text/plain; charset="UTF-8"

On Fri, 2013-11-01 at 10:41 +0100, Miroslav Grepl wrote:
> On 10/30/2013 05:07 PM, Dominick Grift wrote:
>> On Wed, 2013-10-30 at 11:53 -0400, Daniel J Walsh wrote:
>> 
>>> Well in this case I would like to potentially run these container/apps with
>>> Types like firefox_t and ooffice_t, but more generically with app_t where
>>> app_t is not allowed to touch user_home_t.
>>> 
>>> But we are going far a field of this email chain, and we can revisit this when
>>> we actually have applications containers.
>>> 
>>> 
>> Sure, we will see, and yes i guess containers in Gnome are inevitable
>> anyways (what about other DE's). I think, but you probably already know
>> that, that we should not try to prevent access to the generic user home
>> content type user_home_t, but instead classify everything that is not
>> generic.
> And do you think it is really possible?
>> 

"I have proof that it is possible, if one sets clear goals, boundaries,
and realistic expectations."

Confining the user space not that different from confining the system
space. Its just a lot more work to maintain and more error prone,
because there is more interactivity, and things change more frequently
in the the user space

But if you set clear goals, and clear boundaries (as to what you support
and what not), then yes, i know its possible because i implemented it 

The same goes for the system space, we also set boundaries there. "This
we can, and will support, and anything else not"





------------------------------

--
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

End of selinux Digest, Vol 117, Issue 1
***************************************

More information about the selinux mailing list