On Wed, 10 Jan 2018 17:50:19 +0800 wenzong fan <wenzong....@windriver.com> wrote:
> On 01/10/2018 01:01 AM, Patrick Ohly wrote: > > On Fri, 2018-01-05 at 01:07 +0000, Fan, Wenzong wrote: > >> It works and will override the labels of home dir that SELinux > >> applied, that's the issue. > >> > >> For SELinux enabled system, the user's home dir should have lavel > >> 'user_home_dir_t' instead of 'etc_t', it prevents users from > >> creating files in their home dir. > > > > Sounds like the "copy xattr" function needs to become a bit > > smarter: it needs to understand some of the semantic involved and > > skip those SELinux xattrs that are always meant to be set > > dynamically by the running kernel. > > > > Wenzong, which xattrs are those? Do you agree with the proposed > > solution? > > The xattr for selinux is "security.selinux": > > $ getfattr -n security.selinux /home/t1 > security.selinux="user_u:object_r:user_home_dir_t:s0-s15:c0.c1023" > > I think the "attr_copy_file()" is doing right thing, but it should be > used in a limited situation, such as only for Smack ... > > Thanks > Wenzong The LSM "SELinux" is complicated enough to change label of template files to label of instance files correctly. The approach with Smack is different and the template files embed the expected complex hierarchy that otherwise could only be created with a program. A possible approach would be with smack to add a program for creating homes. Conversely, SELinux could consider to use template approach too instead of increasing its rules set (with templating splitted in two parts: files and "creation" rules). >From "man 7 xattr" we know: - extended attributes are namespaced - the fully qualified name is "namespace.attribute" - actual namespaces are security, system, trusted, and user A possibility would be to filter the copied extended attributes. For SELinux we can just tell to not copy "security" attributes. See manual of the command "tar" (recent version) that has options --xattrs-exclude and --xattr-include. Is there a need to copy extended attributes except for Smack? > > Jose, can you look into updating your patch accordingly? Perhaps yes but not now because I don't now what to do. Best regards Jose -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
