Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c

Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c

[William Roberts]

[-- Attachment #1: Type: text/plain, Size: 804 bytes --]

I think we need to discuss this change id further.
Commit sha b263780156624c38b23d638be6a2d8bdd17511f8 on master
selinuxproject/master.

It really provides two functions:

1. x.509 cert to seinfo string mapping for seapp_contexts so the zygote
spawns it in the right domain...
2. install time permission checking

I think these should be submitted as two different patch sets to AOSP
respective of their functionality. I think the x.509 cert checks will get
pulled in and I am not sure on the install time permission checking.

I am also wondering if we really need mac_permisions.xml to be in in it's
own repo. I think it should be in sepolicy since it is part of the policy
of the device, like seapp_contexts.

What are the communities opinions on these comments?

-- 
Respectfully,

William C Roberts

[-- Attachment #2: Type: text/html, Size: 1002 bytes --]

RE: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c

[Radzykewycz, T (Radzy)]

> I am also wondering if we really need mac_permisions.xml to be
> in in it's own repo. I think it should be in sepolicy since it
> is part of the policy of the device, like seapp_contexts.

I would like to see all policy be contained within a single git project.  It
could be divided into subdirectories, such as external/sepolicy/base and
external/sepolicy/mmac or something.  But having it all in one place
would be more convenient for overall system policy analysis.

________________________________________
From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf of William Roberts [bill.c.roberts@gmail.com]
Sent: Tuesday, July 17, 2012 4:43 PM
To: selinux@tycho.nsa.gov
Cc: rpcraig
Subject: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c

I think we need to discuss this change id further.
Commit sha b263780156624c38b23d638be6a2d8bdd17511f8 on master selinuxproject/master.

It really provides two functions:

1. x.509 cert to seinfo string mapping for seapp_contexts so the zygote spawns it in the right domain...
2. install time permission checking

I think these should be submitted as two different patch sets to AOSP respective of their functionality. I think the x.509 cert checks will get pulled in and I am not sure on the install time permission checking.

I am also wondering if we really need mac_permisions.xml to be in in it's own repo. I think it should be in sepolicy since it is part of the policy of the device, like seapp_contexts.

What are the communities opinions on these comments?

--
Respectfully,

William C Roberts




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c

[William Roberts]

[-- Attachment #1: Type: text/plain, Size: 1953 bytes --]

Yes, it took me a few minutes to realize it was in mac-policy today after
the "merge" with master. It doesn't make sense there.

Any thoughts on breaking up the change id?

On Tue, Jul 17, 2012 at 5:20 PM, Radzykewycz, T (Radzy) <radzy@windriver.com
> wrote:

> > I am also wondering if we really need mac_permisions.xml to be
> > in in it's own repo. I think it should be in sepolicy since it
> > is part of the policy of the device, like seapp_contexts.
>
> I would like to see all policy be contained within a single git project.
>  It
> could be divided into subdirectories, such as external/sepolicy/base and
> external/sepolicy/mmac or something.  But having it all in one place
> would be more convenient for overall system policy analysis.
>
> ________________________________________
> From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf
> of William Roberts [bill.c.roberts@gmail.com]
> Sent: Tuesday, July 17, 2012 4:43 PM
> To: selinux@tycho.nsa.gov
> Cc: rpcraig
> Subject: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c
>
> I think we need to discuss this change id further.
> Commit sha b263780156624c38b23d638be6a2d8bdd17511f8 on master
> selinuxproject/master.
>
> It really provides two functions:
>
> 1. x.509 cert to seinfo string mapping for seapp_contexts so the zygote
> spawns it in the right domain...
> 2. install time permission checking
>
> I think these should be submitted as two different patch sets to AOSP
> respective of their functionality. I think the x.509 cert checks will get
> pulled in and I am not sure on the install time permission checking.
>
> I am also wondering if we really need mac_permisions.xml to be in in it's
> own repo. I think it should be in sepolicy since it is part of the policy
> of the device, like seapp_contexts.
>
> What are the communities opinions on these comments?
>
> --
> Respectfully,
>
> William C Roberts
>
>
>


-- 
Respectfully,

William C Roberts

[-- Attachment #2: Type: text/html, Size: 2669 bytes --]

Re: Change-Id: I61d34a9fd6975f23023f70f205a510e3357d843c

[Stephen Smalley]

On Tue, 2012-07-17 at 16:43 -0700, William Roberts wrote:
> I think we need to discuss this change id further.
> Commit sha b263780156624c38b23d638be6a2d8bdd17511f8 on master
> selinuxproject/master.
> 
> 
> It really provides two functions:
> 
> 
> 1. x.509 cert to seinfo string mapping for seapp_contexts so the
> zygote spawns it in the right domain...
> 2. install time permission checking
> 
> 
> I think these should be submitted as two different patch sets to AOSP
> respective of their functionality. I think the x.509 cert checks will
> get pulled in and I am not sure on the install time permission
> checking.
> 
> 
> I am also wondering if we really need mac_permisions.xml to be in in
> it's own repo. I think it should be in sepolicy since it is part of
> the policy of the device, like seapp_contexts.
> 
> 
> What are the communities opinions on these comments?

I think it is reasonable to split out the support for certificate-based
assignment of seinfo= strings from the rest of the install-time MAC
support if that provides a path for merging that support earlier.
Otherwise it isn't worth the effort.

Originally the mac_permissions.xml configuration only contained
middleware MAC configuration information, nothing related to SELinux, so
it was natural to keep it in a separate mac-policy project.  We
originally had the middleware MAC support under its own build option
(HAVE_MAC) that could be enabled independently of HAVE_SELINUX.

With the seinfo= support in mac_permissions.xml, it may make sense to
bring it over into sepolicy.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.