use_ecryptfs_home_dirs boolean
Miroslav Grepl
mgrepl at redhat.com
Fri Nov 15 08:53:19 UTC 2013
Dne 15.11.2013 09:07, AndrewYang napsal(a):
>
> Because Ecryptfs does not support xattr, so a variety of application
> control type under ecryptfs user home is replaced by ecryptfs_t. In the
> serepolicy-3.12.1 version, The 'use_ecryptfs_home_dirs' Boolean
> control ecyprfs_t type under users encrypted directory. The Boolean
> control granularity is coarse, such as xserver, Mozilla, chrome
> applications setting policy, while related to the home user domain
> gives the
> ecryptfs_t object to operate and manage permissions. In the
> configuration of the ecryptfs_t type to control encrypted user home
> directory method has following problems :
>
> 1> ecryptfs user home directory only ecryptfs_t type, can not be
> distinguished by type between different applications under the user home
> directory, so that use_ecryptfs_home_dirs Boolean control permission
> is too big.
>
> 2> if user home directory add new applications, you will need to
> supplement the application policy of ecryptfs_t type, while not
> directly use the existing policy that is used under the unencrypted
> user home directory.
>
> To solve these problems, I have a idea that we can use 'semanage
> fcontext' command to realize ecrytfs user home directory and
> unencrypted user home directory shared control policy.
>
> Actually, using the ecryptfs user home directory is to operate the
> encrypted directory (/home/.ecryptfs/$USER_NAME/. Pravite) . The files
> under encrypted directory and ecryptfs mounted point directory
> (/home/$USER_NAME/) are one to one. With the following commands, the
> ecryptfs user home directory (but filenames aren't be encrypted) can
> be labelled with the unencrypted user home directory security context.
>
> # semanage fcontext -a -e /home/$USER_NAME
> /home/.ecryptfs/$USER_NAME/.Private
> # restorecon -RFv /home/.ecryptfs/$USER_NAME/.Private
> # restorecon -R -v /home/.ecryptfs/
>
> The ecryptfs does not encrypt user home directory filenames and only
> encypted file contents case, this method can realize to use common
> user home directory policy, better than the existing
> 'user_ecryptfs_home_dirs' boolean control.
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
There is a story
https://bugzilla.redhat.com/show_bug.cgi?id=712048
ecryptfs-migrate-home is supposed to run
# restorecon -R -v $HOME/$USER
# semanage fcontext -a -e /home /home/.ecryptfs
# restorecon -R -v $HOME/.ecrypfs/$USER
before $HOME/.ecrypfs/$USER is created. So
$ matchpathcon /home/.ecryptfs/mgrepl
/home/.ecryptfs/mgrepl unconfined_u:object_r:user_home_t:s0
$matchpathcon /home/mgrepl/.ecryptfs
/home/mgrepl/.ecryptfs unconfined_u:object_r:ecryptfs_t:s0
is the labeling what is supposed to be.
Regards,
Miroslav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20131115/334dfb7d/attachment.html>
More information about the selinux
mailing list