Re: libsemanage patch for MCS/MLS in user files

On Jan 5, 2011, at 2:30 AM, Russell Coker wrote:

> The attached patch makes the 
> /etc/selinux/default/contexts/files/file_contexts.homedirs generation process 
> include the MCS/MLS level.
> 
> This means that if you have a user with a MCS/MLS level that isn't SystemLow 
> then their home directory will be labeled such that they can have read/write 
> access to it by default.
> 
> Unless anyone has any better ideas for how to solve this problem I will upload 
> this to Debian shortly.
> 
> What do the MLS users do in this situation?  Just relabel home directories 
> manually?

We don't have any users that are single level > SystemLow. I do think that is a
legitimate use case. We currently symlink most dot files into a polyinstatiated
directory to allow terminal windows and preferences to work at multiple levels.

You could polyinstantiate the home directory and not worry about the specific
level.

joe

> 
> 
> Finally it seems that when you run "semanage user -m" the 
> file_contexts.homedirs doesn't get updated, it's only when you run
> "semanage login -m" that it takes affect.
> 
> -- 
> russell@...
> http://etbe.coker.com.au/          My Main Blog
> http://doc.coker.com.au/           My Documents Blog
> <diff>