use_ecryptfs_home_dirs boolean

Miroslav Grepl mgrepl at redhat.com
Fri Nov 15 08:53:19 UTC 2013 

Dne 15.11.2013 09:07, AndrewYang napsal(a):
>
> Because Ecryptfs does not support xattr, so a variety of application 
> control type under ecryptfs user home is replaced by ecryptfs_t. In the
> serepolicy-3.12.1 version, The 'use_ecryptfs_home_dirs' Boolean 
> control ecyprfs_t type under users encrypted directory. The Boolean 
> control granularity is coarse, such as xserver, Mozilla, chrome 
> applications setting policy, while related to the home user domain 
> gives the
> ecryptfs_t object to operate and manage permissions. In the 
> configuration of the ecryptfs_t type to control encrypted user home 
> directory method has following problems :
>
> 1> ecryptfs user home directory only ecryptfs_t type, can not be 
> distinguished by type between different applications under the user home
> directory, so that use_ecryptfs_home_dirs Boolean control permission 
> is too big.
>
> 2> if user home directory add new applications, you will need to 
> supplement the application policy of ecryptfs_t type, while not 
> directly use the existing policy that is used under the unencrypted 
> user home directory.
>
> To solve these problems, I have a idea that we can use 'semanage 
> fcontext' command to realize ecrytfs user home directory and 
> unencrypted user home directory shared control policy.
>
> Actually, using the ecryptfs user home directory is to operate the 
> encrypted directory (/home/.ecryptfs/$USER_NAME/. Pravite) . The files 
> under encrypted directory and ecryptfs mounted point directory 
> (/home/$USER_NAME/) are one to one. With the following commands, the
> ecryptfs user home directory (but filenames aren't be encrypted) can 
> be labelled with the unencrypted user home directory security context.
>
> # semanage fcontext -a -e /home/$USER_NAME 
> /home/.ecryptfs/$USER_NAME/.Private
> # restorecon -RFv /home/.ecryptfs/$USER_NAME/.Private
> # restorecon -R -v /home/.ecryptfs/
>
> The ecryptfs does not encrypt user home directory filenames and only 
> encypted file contents case, this method can realize to use common 
> user home directory policy, better than the existing 
> 'user_ecryptfs_home_dirs' boolean control.
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
There is a story

https://bugzilla.redhat.com/show_bug.cgi?id=712048

ecryptfs-migrate-home is supposed to run

# restorecon -R -v $HOME/$USER
# semanage fcontext -a -e /home /home/.ecryptfs
# restorecon -R -v $HOME/.ecrypfs/$USER


before $HOME/.ecrypfs/$USER is created. So

$ matchpathcon /home/.ecryptfs/mgrepl
/home/.ecryptfs/mgrepl    unconfined_u:object_r:user_home_t:s0

$matchpathcon /home/mgrepl/.ecryptfs
/home/mgrepl/.ecryptfs	unconfined_u:object_r:ecryptfs_t:s0


is the labeling what is supposed to be.

Regards,
Miroslav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20131115/334dfb7d/attachment.html>

More information about the selinux mailing list