[refpolicy] kernel_corecommands.patch

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] kernel_corecommands.patch
@ 2009-03-04 21:28 Daniel J Walsh
  2009-03-05 15:06 ` Christopher J. PeBenito
  0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-03-04 21:28 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch

Additional labels

Change some labels in /etc/selinux/network-scripts so that
network-manager can manage them

bin_t scattered all over the file system
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmu8pIACgkQrlYvE4MpobNjrgCfVYiVAxt+FNg0F14KLalotRh/
8JsAn1ppdPffD5n/dt0Q9E4EZuMYoyWc
=1mpe
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
  2009-03-04 21:28 [refpolicy] kernel_corecommands.patch Daniel J Walsh
@ 2009-03-05 15:06 ` Christopher J. PeBenito
  0 siblings, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-03-05 15:06 UTC (permalink / raw)
  To: refpolicy

On Wed, 2009-03-04 at 16:28 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
> 
> Additional labels
> 
> Change some labels in /etc/selinux/network-scripts so that
> network-manager can manage them
> 
> bin_t scattered all over the file system

Merged.  I think we should clean up some more redhat-specific entries,
like /etc/sysconfig/*, and move them into distro_redhat's.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
@ 2010-08-26 22:45 Daniel J Walsh
  0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:45 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corecommands.patch

Lots of bin_t files

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEUEARECAAYFAkx27okACgkQrlYvE4MpobMj3gCXZpKfw5azjGCJOx/0BNf8Lzua
NACfR2vwdLfOX1bcxosu5hYl/CH9bEA=
=hFHF
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
  2010-06-02 20:18 Daniel J Walsh
@ 2010-06-07 13:04 ` Christopher J. PeBenito
  0 siblings, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2010-06-07 13:04 UTC (permalink / raw)
  To: refpolicy

On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corecommands.patch
> 
> Lots of new places to stick bin_t files

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
@ 2010-06-02 20:18 Daniel J Walsh
  2010-06-07 13:04 ` Christopher J. PeBenito
  0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:18 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corecommands.patch

Lots of new places to stick bin_t files

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
  2010-02-23 21:33 Daniel J Walsh
@ 2010-03-05 15:54 ` Christopher J. PeBenito
  0 siblings, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2010-03-05 15:54 UTC (permalink / raw)
  To: refpolicy

On Tue, 2010-02-23 at 16:33 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_corecommands.patch
> 
> Lots of places need to be labeled bin_t
> 
> +corecmd_read_all_executables(abrt_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
@ 2010-02-23 21:33 Daniel J Walsh
  2010-03-05 15:54 ` Christopher J. PeBenito
  0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2010-02-23 21:33 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_corecommands.patch

Lots of places need to be labeled bin_t

+corecmd_read_all_executables(abrt_t)

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
  2009-11-12 20:57 Daniel J Walsh
@ 2009-11-23 18:47 ` Christopher J. PeBenito
  0 siblings, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-11-23 18:47 UTC (permalink / raw)
  To: refpolicy

On Thu, 2009-11-12 at 15:57 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_corecommands.patch
> 
> Lots of new places to hide binaries.
> 
Merged.


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
@ 2009-11-12 20:57 Daniel J Walsh
  2009-11-23 18:47 ` Christopher J. PeBenito
  0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-11-12 20:57 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_corecommands.patch

Lots of new places to hide binaries.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
  2009-05-21 15:13 Daniel J Walsh
@ 2009-06-11 15:39 ` Christopher J. PeBenito
  0 siblings, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-06-11 15:39 UTC (permalink / raw)
  To: refpolicy

On Thu, 2009-05-21 at 11:13 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
> 
> Lots of nice new locations for binaries.

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
@ 2009-05-21 15:13 Daniel J Walsh
  2009-06-11 15:39 ` Christopher J. PeBenito
  0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-05-21 15:13 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch

Lots of nice new locations for binaries.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
  2008-12-06 13:00   ` Martin Orr
@ 2008-12-09 13:43     ` Daniel J Walsh
  0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2008-12-09 13:43 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Orr wrote:
> On 02/12/08 22:51, Christopher J. PeBenito wrote:
>> On Tue, 2008-11-25 at 16:35 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
>>>
>>> Add bin_t for ConsoleKit scripts
>> Merged, with some rearrangement.
> 
> It is not clear to me - why should these be labelled as bin_t instead of
> consolekit_exec_t?  Are they run by anything other than consolekit?
> 
> Best wishes,
> 
not currently, but we do not always label all binaries with a context
that can cause a transition.  And theoretically these scripts could be
used by another application.  Just because a script is labeled bin_t and
can be executed by a confined domain, does not mean it adds any privs to
the confined domain.  bin_t apps will execute in the current domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk+dfYACgkQrlYvE4MpobOefACfUaDejpp4pNWIVfF8CkID3in4
72wAnRJbvS4BZoUiINyDFr2lfdhIoXqN
=xek3
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
  2008-12-02 22:51 ` Christopher J. PeBenito
@ 2008-12-06 13:00   ` Martin Orr
  2008-12-09 13:43     ` Daniel J Walsh
  0 siblings, 1 reply; 15+ messages in thread
From: Martin Orr @ 2008-12-06 13:00 UTC (permalink / raw)
  To: refpolicy

On 02/12/08 22:51, Christopher J. PeBenito wrote:
> On Tue, 2008-11-25 at 16:35 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
>>
>> Add bin_t for ConsoleKit scripts
> 
> Merged, with some rearrangement.

It is not clear to me - why should these be labelled as bin_t instead of
consolekit_exec_t?  Are they run by anything other than consolekit?

Best wishes,

-- 
Martin Orr

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
  2008-11-25 21:35 Daniel J Walsh
@ 2008-12-02 22:51 ` Christopher J. PeBenito
  2008-12-06 13:00   ` Martin Orr
  0 siblings, 1 reply; 15+ messages in thread
From: Christopher J. PeBenito @ 2008-12-02 22:51 UTC (permalink / raw)
  To: refpolicy

On Tue, 2008-11-25 at 16:35 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
> 
> Add bin_t for several cups binaries.
> 
> Move some for Brother to a higher level
> 
> Add bin_t for ConsoleKit scripts

Merged, with some rearrangement.

> Add bin_t for pam_krb5_storegtmp

Conflicts with pam_exec_t labeling.

> Add sys_chroot capability to corecmd_exec_chroot interface

While I agree in principle, I would want to remove it from unprivileged
users.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [refpolicy] kernel_corecommands.patch
@ 2008-11-25 21:35 Daniel J Walsh
  2008-12-02 22:51 ` Christopher J. PeBenito
  0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2008-11-25 21:35 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch

Add bin_t for several cups binaries.

Move some for Brother to a higher level

Add bin_t for ConsoleKit scripts

Add bin_t for pam_krb5_storegtmp

Add sys_chroot capability to corecmd_exec_chroot interface
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkksb5IACgkQrlYvE4MpobMgBACghZEE/FYb8aLrluhmayh9Z5Rd
juoAn2vQnHJQcL5WeToZhzdyD2e+19Zx
=tc/L
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2010-08-26 22:45 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-03-04 21:28 [refpolicy] kernel_corecommands.patch Daniel J Walsh
2009-03-05 15:06 ` Christopher J. PeBenito
  -- strict thread matches above, loose matches on Subject: below --
2010-08-26 22:45 Daniel J Walsh
2010-06-02 20:18 Daniel J Walsh
2010-06-07 13:04 ` Christopher J. PeBenito
2010-02-23 21:33 Daniel J Walsh
2010-03-05 15:54 ` Christopher J. PeBenito
2009-11-12 20:57 Daniel J Walsh
2009-11-23 18:47 ` Christopher J. PeBenito
2009-05-21 15:13 Daniel J Walsh
2009-06-11 15:39 ` Christopher J. PeBenito
2008-11-25 21:35 Daniel J Walsh
2008-12-02 22:51 ` Christopher J. PeBenito
2008-12-06 13:00   ` Martin Orr
2008-12-09 13:43     ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.