* Daniel J Walsh <dwalsh@redhat.com> [2004-11-11 00:12]:
> Removal of alot of kerberos and can_ypbind calls.  (Centralized under 
> the auth call).

> --- nsapolicy/macros/admin_macros.te	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.1/macros/admin_macros.te	2004-11-10 17:30:03.466882997 -0500
> @@ -106,6 +107,7 @@
>  allow $1_t tty_device_t:chr_file rw_file_perms;
>  allow $1_t ttyfile:chr_file rw_file_perms;
>  allow $1_t ptyfile:chr_file rw_file_perms;
> +allow $1_t serial_device:chr_file setattr;

I recently thought if we should add
allow sysadm_t device_type:{ chr_file blk_file } setattr;
This is currently forbidden.
Most admins will want to change device permissions as to allow access to
specific users.
What do others think about this?

> --- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.19.1/macros/network_macros.te	2004-11-10 17:50:28.419688186 -0500
> @@ -0,0 +1,5 @@
> +define(`can_kerberos',`
> +can_network($1)
> +dontaudit $1 krb5_conf_t:file write;
> +allow $1 krb5_conf_t:file { getattr read };
> +')

This needs to be conditionalized. Most users don't use kerberos, they
should not have the can_network() for many different domains.
I'd like to have a file kerberos-client.te plus a boolean (optional).
That way, users who do not use kerberos can remove it completely from
policy (why should I have files labeled krb5_conf_t if I don't use
kerberos at all?)

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7