* Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c
@ 2012-07-17 23:43 William Roberts
2012-07-18 0:20 ` Radzykewycz, T (Radzy)
2012-07-19 13:35 ` Stephen Smalley
0 siblings, 2 replies; 4+ messages in thread
From: William Roberts @ 2012-07-17 23:43 UTC (permalink / raw)
To: selinux; +Cc: rpcraig
[-- Attachment #1: Type: text/plain, Size: 804 bytes --]
I think we need to discuss this change id further.
Commit sha b263780156624c38b23d638be6a2d8bdd17511f8 on master
selinuxproject/master.
It really provides two functions:
1. x.509 cert to seinfo string mapping for seapp_contexts so the zygote
spawns it in the right domain...
2. install time permission checking
I think these should be submitted as two different patch sets to AOSP
respective of their functionality. I think the x.509 cert checks will get
pulled in and I am not sure on the install time permission checking.
I am also wondering if we really need mac_permisions.xml to be in in it's
own repo. I think it should be in sepolicy since it is part of the policy
of the device, like seapp_contexts.
What are the communities opinions on these comments?
--
Respectfully,
William C Roberts
[-- Attachment #2: Type: text/html, Size: 1002 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c
2012-07-17 23:43 Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c William Roberts
@ 2012-07-18 0:20 ` Radzykewycz, T (Radzy)
2012-07-18 0:22 ` William Roberts
2012-07-19 13:35 ` Stephen Smalley
1 sibling, 1 reply; 4+ messages in thread
From: Radzykewycz, T (Radzy) @ 2012-07-18 0:20 UTC (permalink / raw)
To: William Roberts, selinux; +Cc: rpcraig
> I am also wondering if we really need mac_permisions.xml to be
> in in it's own repo. I think it should be in sepolicy since it
> is part of the policy of the device, like seapp_contexts.
I would like to see all policy be contained within a single git project. It
could be divided into subdirectories, such as external/sepolicy/base and
external/sepolicy/mmac or something. But having it all in one place
would be more convenient for overall system policy analysis.
________________________________________
From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf of William Roberts [bill.c.roberts@gmail.com]
Sent: Tuesday, July 17, 2012 4:43 PM
To: selinux@tycho.nsa.gov
Cc: rpcraig
Subject: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c
I think we need to discuss this change id further.
Commit sha b263780156624c38b23d638be6a2d8bdd17511f8 on master selinuxproject/master.
It really provides two functions:
1. x.509 cert to seinfo string mapping for seapp_contexts so the zygote spawns it in the right domain...
2. install time permission checking
I think these should be submitted as two different patch sets to AOSP respective of their functionality. I think the x.509 cert checks will get pulled in and I am not sure on the install time permission checking.
I am also wondering if we really need mac_permisions.xml to be in in it's own repo. I think it should be in sepolicy since it is part of the policy of the device, like seapp_contexts.
What are the communities opinions on these comments?
--
Respectfully,
William C Roberts
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c
2012-07-18 0:20 ` Radzykewycz, T (Radzy)
@ 2012-07-18 0:22 ` William Roberts
0 siblings, 0 replies; 4+ messages in thread
From: William Roberts @ 2012-07-18 0:22 UTC (permalink / raw)
To: Radzykewycz, T (Radzy); +Cc: selinux, rpcraig
[-- Attachment #1: Type: text/plain, Size: 1953 bytes --]
Yes, it took me a few minutes to realize it was in mac-policy today after
the "merge" with master. It doesn't make sense there.
Any thoughts on breaking up the change id?
On Tue, Jul 17, 2012 at 5:20 PM, Radzykewycz, T (Radzy) <radzy@windriver.com
> wrote:
> > I am also wondering if we really need mac_permisions.xml to be
> > in in it's own repo. I think it should be in sepolicy since it
> > is part of the policy of the device, like seapp_contexts.
>
> I would like to see all policy be contained within a single git project.
> It
> could be divided into subdirectories, such as external/sepolicy/base and
> external/sepolicy/mmac or something. But having it all in one place
> would be more convenient for overall system policy analysis.
>
> ________________________________________
> From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf
> of William Roberts [bill.c.roberts@gmail.com]
> Sent: Tuesday, July 17, 2012 4:43 PM
> To: selinux@tycho.nsa.gov
> Cc: rpcraig
> Subject: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c
>
> I think we need to discuss this change id further.
> Commit sha b263780156624c38b23d638be6a2d8bdd17511f8 on master
> selinuxproject/master.
>
> It really provides two functions:
>
> 1. x.509 cert to seinfo string mapping for seapp_contexts so the zygote
> spawns it in the right domain...
> 2. install time permission checking
>
> I think these should be submitted as two different patch sets to AOSP
> respective of their functionality. I think the x.509 cert checks will get
> pulled in and I am not sure on the install time permission checking.
>
> I am also wondering if we really need mac_permisions.xml to be in in it's
> own repo. I think it should be in sepolicy since it is part of the policy
> of the device, like seapp_contexts.
>
> What are the communities opinions on these comments?
>
> --
> Respectfully,
>
> William C Roberts
>
>
>
--
Respectfully,
William C Roberts
[-- Attachment #2: Type: text/html, Size: 2669 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c
2012-07-17 23:43 Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c William Roberts
2012-07-18 0:20 ` Radzykewycz, T (Radzy)
@ 2012-07-19 13:35 ` Stephen Smalley
1 sibling, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2012-07-19 13:35 UTC (permalink / raw)
To: William Roberts; +Cc: selinux, rpcraig
On Tue, 2012-07-17 at 16:43 -0700, William Roberts wrote:
> I think we need to discuss this change id further.
> Commit sha b263780156624c38b23d638be6a2d8bdd17511f8 on master
> selinuxproject/master.
>
>
> It really provides two functions:
>
>
> 1. x.509 cert to seinfo string mapping for seapp_contexts so the
> zygote spawns it in the right domain...
> 2. install time permission checking
>
>
> I think these should be submitted as two different patch sets to AOSP
> respective of their functionality. I think the x.509 cert checks will
> get pulled in and I am not sure on the install time permission
> checking.
>
>
> I am also wondering if we really need mac_permisions.xml to be in in
> it's own repo. I think it should be in sepolicy since it is part of
> the policy of the device, like seapp_contexts.
>
>
> What are the communities opinions on these comments?
I think it is reasonable to split out the support for certificate-based
assignment of seinfo= strings from the rest of the install-time MAC
support if that provides a path for merging that support earlier.
Otherwise it isn't worth the effort.
Originally the mac_permissions.xml configuration only contained
middleware MAC configuration information, nothing related to SELinux, so
it was natural to keep it in a separate mac-policy project. We
originally had the middleware MAC support under its own build option
(HAVE_MAC) that could be enabled independently of HAVE_SELINUX.
With the seinfo= support in mac_permissions.xml, it may make sense to
bring it over into sepolicy.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-07-19 13:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-17 23:43 Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c William Roberts
2012-07-18 0:20 ` Radzykewycz, T (Radzy)
2012-07-18 0:22 ` William Roberts
2012-07-19 13:35 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.