|Main Archive Page > Month Archives > selinux archives|
-----BEGIN PGP SIGNED MESSAGE-----
Karl MacMillan wrote:
> On Tue, 2007-08-28 at 10:21 -0400, Joshua Brindle wrote:
>> Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Finally catching up on Email after vacation. >>> >>> genhomedircon lists the entire list of passwords in order to figure out >>> where home directories are. Not just the contents of the seusers. >>>
> And this will simply not work with LDAP infrastructure - iterating over
> tens-of-thousands of users on _every_ workstation is not acceptable.
>> Is there an implementation error in the new genhomedircon? >> >>> At RedHat we have about 50 different root home directories >>> >>> /home/location/dwalsh >>> >>> We need to know this in order to have restorecon work properly. >>> >>> Labeling of the homedir for things like .mozilla .gnome2 and .ssh >>> is still needed, but differentiating them on Roles does not make sense >>> in a distributed world. Where if dwalsh logs into a kiosk machine he >>> might be xguest_t, on a terminal server guest_t, on his local machine >>> unconfined_t and on the security machine staff_t. If his home directory >>> is the same on all of these, SELinux is in trouble. >> So, it doesn't make sense for your specific infrastructure, that doesn't >> mean it doesn't make sense ever. And this is a policy issue really, >> genhomedircon just does what its told. >> >>
> Can we turn the question around then? Where would this behavior be
> useful? And would the per-user labeling and constraints I suggested work
> in those situations as an alternative? Again, we can leave genhomedircon
> for all I care, I just want to have the defaults work in most
I believe ldap will stop you from returning the entire database anyways, Since it is threshold limited. I had bugreports of genhomedircon taking forever to run with large password database > 100,000. This is where the compiling of the regex saved tons of time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to email@example.com with the words "unsubscribe selinux" without quotes as the message.