[OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes
José Bollo
jobol at nonadev.net
Mon Jan 15 14:33:46 UTC 2018
On Wed, 10 Jan 2018 17:50:19 +0800
wenzong fan <wenzong.fan at windriver.com> wrote:
> On 01/10/2018 01:01 AM, Patrick Ohly wrote:
> > On Fri, 2018-01-05 at 01:07 +0000, Fan, Wenzong wrote:
> >> It works and will override the labels of home dir that SELinux
> >> applied, that's the issue.
> >>
> >> For SELinux enabled system, the user's home dir should have lavel
> >> 'user_home_dir_t' instead of 'etc_t', it prevents users from
> >> creating files in their home dir.
> >
> > Sounds like the "copy xattr" function needs to become a bit
> > smarter: it needs to understand some of the semantic involved and
> > skip those SELinux xattrs that are always meant to be set
> > dynamically by the running kernel.
> >
> > Wenzong, which xattrs are those? Do you agree with the proposed
> > solution?
>
> The xattr for selinux is "security.selinux":
>
> $ getfattr -n security.selinux /home/t1
> security.selinux="user_u:object_r:user_home_dir_t:s0-s15:c0.c1023"
>
> I think the "attr_copy_file()" is doing right thing, but it should be
> used in a limited situation, such as only for Smack ...
>
> Thanks
> Wenzong
The LSM "SELinux" is complicated enough to change label of template
files to label of instance files correctly. The approach with Smack is
different and the template files embed the expected complex hierarchy
that otherwise could only be created with a program.
A possible approach would be with smack to add a program for creating
homes. Conversely, SELinux could consider to use template approach too
instead of increasing its rules set (with templating splitted in two
parts: files and "creation" rules).
From "man 7 xattr" we know:
- extended attributes are namespaced
- the fully qualified name is "namespace.attribute"
- actual namespaces are security, system, trusted, and user
A possibility would be to filter the copied extended attributes. For
SELinux we can just tell to not copy "security" attributes. See
manual of the command "tar" (recent version) that has options
--xattrs-exclude and --xattr-include.
Is there a need to copy extended attributes except for Smack?
> > Jose, can you look into updating your patch accordingly?
Perhaps yes but not now because I don't now what to do.
Best regards
Jose
More information about the Openembedded-core
mailing list