Re: [patch 0/4] libsemanage: genhomedircon replacement

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Tue Aug 28 2007 - 16:37:39 GMT
To: Karl MacMillan <kmacmillan@mentalrootkit.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Karl MacMillan wrote:
> On Tue, 2007-08-28 at 10:21 -0400, Joshua Brindle wrote:
>> Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Finally catching up on Email after vacation. >>> >>> genhomedircon lists the entire list of passwords in order to figure out >>> where home directories are. Not just the contents of the seusers. >>>
>
> And this will simply not work with LDAP infrastructure - iterating over
> tens-of-thousands of users on _every_ workstation is not acceptable.
>
>> Is there an implementation error in the new genhomedircon? >> >>> At RedHat we have about 50 different root home directories >>> >>> /home/location/dwalsh >>> >>> We need to know this in order to have restorecon work properly. >>> >>> Labeling of the homedir for things like .mozilla .gnome2 and .ssh >>> is still needed, but differentiating them on Roles does not make sense >>> in a distributed world. Where if dwalsh logs into a kiosk machine he >>> might be xguest_t, on a terminal server guest_t, on his local machine >>> unconfined_t and on the security machine staff_t. If his home directory >>> is the same on all of these, SELinux is in trouble. >> So, it doesn't make sense for your specific infrastructure, that doesn't >> mean it doesn't make sense ever. And this is a policy issue really, >> genhomedircon just does what its told. >> >>
>
> Can we turn the question around then? Where would this behavior be
> useful? And would the per-user labeling and constraints I suggested work
> in those situations as an alternative? Again, we can leave genhomedircon
> for all I care, I just want to have the defaults work in most
> situations.
>
> Karl
>
>

I believe ldap will stop you from returning the entire database anyways, Since it is threshold limited. I had bugreports of genhomedircon taking forever to run with large password database > 100,000. This is where the compiling of the regex saved tons of time.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG1E9SrlYvE4MpobMRAl+BAKCJ+tDpVFIo2e+TPzbCOBhqKzV/pwCgzlOY ILOHuv1SxKFdxSVEh+yjOc0=
=hEyU
-----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

This message: [ Message body ]
Next message: Stephen Smalley: "RE: Looks like we have a 64 bit problem on Rawhide."
Previous message: Venkat Yekkirala: "RE: [RFC 0/5] Static/fallback external labels for NetLabel"
In reply to: Karl MacMillan: "Re: [patch 0/4] libsemanage: genhomedircon replacement"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]