On Thu, 2006-12-07 at 14:35 -0500, Linda Knippers wrote: > Daniel J Walsh wrote: > > I have tried this patch out and it seems to work correctly. The only > > other question I would have is should I change the user component of the > > context? > > I've tried out the patch too and if I understand how its supposed to work, > it seems to work correctly for me as well. When I create a user, do a > restorecon on the user's home directory and then log in, I get a home > directory and tmp directories as I expect. This works for admin users > too. If I do a newrole to change my level, I get a new set of directories. > > Should I also get a new set of directories if I use newrole to switch > roles? I don't (and not sure I want to) but I'm wondering if I'm > supposed to since the man page says its polyinstantiates based on > "context" and when I change roles, my context changes, right?
Correct - it was intended to be general and support role/domain-based instantiation as well as level instantiation, but Dan's patch drops that support and hardcodes the level instantiation. Which is simpler and yields the desired behavior for MLS and LSPP, at a cost in generality. The more general fix may take more effort (small kernel patch to adjust the logic or policy and labeling adjustments to work around). -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
