Re: Latest diffs

[Daniel J Walsh <dwalsh@redhat.com>]

Christopher J. PeBenito wrote:
> On Fri, 2006-09-22 at 16:30 -0400, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
>>>   
>>>       
>>>> http://people.redhat.com/dwalsh/SELinux/policy.diff
>>>>
>>>> Changed to allow 1024 categories.
>>>>         
>>> Not adding this yet.  Waiting for concensus on how high we should go.
>>>   
>>>       
>> Ok, any way we could make this a constant defined in the Makefile?
>>
>> TOTAL_CATS=1024, MAX_CAT=c1023
>>     
>
> This was suggested to me by others; it seems like a reasonable
> compromise.  I'll probably make build options for the number of MLS and
> MCS categories, and the number of MLS sensitivities.
>
>   
>>>> Add a files_manage_non_secure_dirs for autofs
>>>>         
>>> This seems suspect.
>>>   
>>>       
>> Autofs creates a file/directory in every directory it mounts over.
>>     
>
> But why does it do this?
>
>   
Taken off list to get an answer from autofs package maintainer, will 
post answer.
> Also, the other change sounds suspect since it can't do any rawip send
> or receive:
>
>   
>> automount uses rawip_socket  
>>     
>
>   
>>>> Stop using bluetooth_helper_t
>>>>         
>>> Why?
>>>
>>>       
>> Two many bugs and it is confining userspace with X-Windows.
>>     
>
> I assume you're referring to targeted, in which case, the transition
> should be removed from unconfined_t, not the label from the file.
>
>   
Yes although I think it will not work well in strict, but we can remove 
the transition.
>>>> oddjob policy should be added
>>>>         
>
> /usr/lib/oddjobd    gen_context(system_u:object_r:oddjob_var_lib_t,s0)
>
> Is this right?  Not /var/lib/oddjobd since its oddjob_var_lib_t?
>   
Yes this should be eliminated.  Not needed. 
>   
>>> * What is the /opt/fortitude stuff in apache?
>>>   
>>>       
>> It is a new Red Hat product for government use, I believe. 
>>     
>
> I'm not sure this should upstreamed in that case.
>
>   
Fine.
>> readahead needs mls_read_up priv, donaudit looking at nvram
>>     
>
> The second part seems weird since there already is:
>
> dev_getattr_all_chr_files(readahead_t)
>
>   
Your right this would be fixes by mls_read_up.
>> fsdaemon_exec_t needs to run at SystemHigh to be able to look at fixed disks
>>     
>
> Holding off on this one until the range_transitions work in modules,
> which should hopefully be very soon.  Also, why not just do mls_read_up
> instead?
>
>   
I will try that.
>> /dev/rawctl is labeled as a fixed_disk_device_t even though it is a 
>> chr_file.  Not sure if this is correct.
>>     
>
> According to drivers/char/raw.c:
>
>  * Front-end raw character devices.  These can be bound to any block
>  * devices to provide genuine Unix raw character device semantics.
>  *
>  * We reserve minor number 0 for a control interface.  ioctl()s on this
>  * device are used to bind the other minor numbers to block devices.
>
> So it sounds like we need two types, one for the control device and one
> for raw1, etc.
>
>   
>> nscd needs to be accessable from sysadm_r.
>>     
>
> I think there may be another way to fix this.  I looked back at the
> direct_sysadm_daemon stuff, and I realized that there are two parts to
> this.  The first is the role transition to allow sysadm_t to restart
> services without using run_init.  The second allows sysadm_t to start up
> daemons by directly executing them.  Right now they're both controlled
> by the DIRECT_INITRC build option.
>
> So the question is, do we still want the second part?  If so, it should
> be separated into its own build option or tunable.
>
> I understand that usermod restarts nscd; its too bad it can't just
> signal nscd to clear its cache rather than doing something broken like
> this.
>
>   
This is a similar problem to rpm.  Where sysadm_r is required access to 
all domains that could be run in a rpm scriptlet.  Currently I require 
mls people to run rpm with run_init to get it to work correctly.
>> need a userdom_use_unpriv_users_ttys so sysadm_t can write to all users 
>> terminals when system is going down.
>>     
>
> Moved this change down.
>
>   
>> auditadm and secadm need to be able to messages to syslog
>>     
>
> * moved firstboot_rw_t alias to files.
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.