Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   how to use the options "-P,--prefix" for the comand semanage (http://www.linux-archive.org/fedora-selinux-support/547949-how-use-options-p-prefix-comand-semanage.html)

Dominick Grift 07-04-2011 12:38 PM

how to use the options "-P,--prefix" for the comand semanage
 
On Mon, 2011-07-04 at 20:22 +0800, Benedict S wrote:
> The manpage of semanage says that "SELinux Prefix.Prefix added to home_dir_t
> and home_t for labeling users home directories.",but i don't know how to use
> it .Is there anyone to help me? thanks.

This option was used for rbacsep and is no longer applicable.

You can use "-P user" for all your SELinux users.

rbacsep support was dropped from reference policy a while ago and a new
functionality called ubac was introduced instead.

However Fedora decided to disable the ubac functionality by default.

Basically the old rbacsep and the new ubac allows for the separation of
the various SELinux users.

The way rbacsep would do that was to allow you to define user prefixes,
So for example a prefix for a myuser_u SELinux user could be myuser,
then the user home dir types would be prefixed (/home/myuser ->
myuser_home_dir_t, instead of user_home_dir_t) and user home content
would be labelled myuser_home_t (instead of user_home_t)

That would allow one to define policy based on these types. For example
myuser_u can access myuser_home_dir_t but not youruser_home_dir_t.

So separation of SELinux users home spaces by using type enforcement.

Ubac allows for similar separation ( and more ) by using the SELinux
user identity field (first field in the security context tuple) instead
of using type enforcement to achieve this it uses policy constraints
(policy constraints are also used for MLS and MCS)

basically the way this works is by comparing the first field of the
security context of the source of an interaction to the first field of
the security context of an targeting in an interaction.

so: myuser_u:myuser_r:myuser_t:s0 can read
myuser_u:object_r:user_home_t:s0 files, but not
youruser_u:object_r:user_home_t:s0 files.

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 06:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.