* [refpolicy] kernel_domain.patch
@ 2010-02-23 22:08 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2010-02-23 22:08 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_domain.patch
Lots of changes to domain. Mainly around leaks....
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
@ 2010-08-26 22:46 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:46 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
Handle mmap_low correctly
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx27r0ACgkQrlYvE4MpobP0NgCfQk3QcLlGkrSvuMVrvYlgsCx2
1BcAn2g0LgbjzHc25wHQKTUOD0hRVBZE
=OKbC
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
@ 2010-06-02 20:20 Daniel J Walsh
2010-06-04 13:39 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:20 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
Fix interface descriptions
Lots of new domains.
Added polydomain
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
2010-06-02 20:20 Daniel J Walsh
@ 2010-06-04 13:39 ` Christopher J. PeBenito
2010-06-04 13:52 ` Daniel J Walsh
0 siblings, 1 reply; 12+ messages in thread
From: Christopher J. PeBenito @ 2010-06-04 13:39 UTC (permalink / raw)
To: refpolicy
On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
>
> Fix interface descriptions
>
> Lots of new domains.
>
> Added polydomain
What is the purpose of polydomain?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
2010-06-04 13:39 ` Christopher J. PeBenito
@ 2010-06-04 13:52 ` Daniel J Walsh
2010-06-07 12:51 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-06-04 13:52 UTC (permalink / raw)
To: refpolicy
On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
>>
>> Fix interface descriptions
>>
>> Lots of new domains.
>>
>> Added polydomain
>
> What is the purpose of polydomain?
>
If I have a polinstatiated homedir like on an MLS machine. When login
programs creates the homedir it needs to populate it with content from
/etc/skel. When it does this, it needs to relabel it to user homedir
content.
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(polydomain)
userdom_manage_user_home_content_dirs(polydomain)
userdom_manage_user_home_content_files(polydomain)
userdom_relabelto_user_home_dirs(polydomain)
userdom_relabelto_user_home_files(polydomain)
'
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
2010-06-04 13:52 ` Daniel J Walsh
@ 2010-06-07 12:51 ` Christopher J. PeBenito
2010-06-07 13:27 ` Daniel J Walsh
0 siblings, 1 reply; 12+ messages in thread
From: Christopher J. PeBenito @ 2010-06-07 12:51 UTC (permalink / raw)
To: refpolicy
On Fri, 2010-06-04 at 09:52 -0400, Daniel J Walsh wrote:
> On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
> >>
> >> Fix interface descriptions
> >>
> >> Lots of new domains.
> >>
> >> Added polydomain
> >
> > What is the purpose of polydomain?
> >
>
> If I have a polinstatiated homedir like on an MLS machine. When login
> programs creates the homedir it needs to populate it with content from
> /etc/skel. When it does this, it needs to relabel it to user homedir
> content.
That sounds like rules in auth_login_pgm_domain() that should already
exist.
> tunable_policy(`allow_polyinstantiation',`
> files_polyinstantiate_all(polydomain)
> userdom_manage_user_home_content_dirs(polydomain)
> userdom_manage_user_home_content_files(polydomain)
> userdom_relabelto_user_home_dirs(polydomain)
> userdom_relabelto_user_home_files(polydomain)
> '
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
2010-06-07 12:51 ` Christopher J. PeBenito
@ 2010-06-07 13:27 ` Daniel J Walsh
2010-06-07 13:46 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-06-07 13:27 UTC (permalink / raw)
To: refpolicy
On 06/07/2010 08:51 AM, Christopher J. PeBenito wrote:
> On Fri, 2010-06-04 at 09:52 -0400, Daniel J Walsh wrote:
>> On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote:
>>> On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
>>>>
>>>> Fix interface descriptions
>>>>
>>>> Lots of new domains.
>>>>
>>>> Added polydomain
>>>
>>> What is the purpose of polydomain?
>>>
>>
>> If I have a polinstatiated homedir like on an MLS machine. When login
>> programs creates the homedir it needs to populate it with content from
>> /etc/skel. When it does this, it needs to relabel it to user homedir
>> content.
>
> That sounds like rules in auth_login_pgm_domain() that should already
> exist.
>
>> tunable_policy(`allow_polyinstantiation',`
>> files_polyinstantiate_all(polydomain)
>> userdom_manage_user_home_content_dirs(polydomain)
>> userdom_manage_user_home_content_files(polydomain)
>> userdom_relabelto_user_home_dirs(polydomain)
>> userdom_relabelto_user_home_files(polydomain)
>> '
>
The rules do not exist there currently other then
files_polyinstantiate_all(polydomain)
We could move this there or eliminate it and use the attribute save
hundreds/thousands of rules.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
2010-06-07 13:27 ` Daniel J Walsh
@ 2010-06-07 13:46 ` Christopher J. PeBenito
0 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2010-06-07 13:46 UTC (permalink / raw)
To: refpolicy
On Mon, 2010-06-07 at 09:27 -0400, Daniel J Walsh wrote:
> On 06/07/2010 08:51 AM, Christopher J. PeBenito wrote:
> > On Fri, 2010-06-04 at 09:52 -0400, Daniel J Walsh wrote:
> >> On 06/04/2010 09:39 AM, Christopher J. PeBenito wrote:
> >>> On Wed, 2010-06-02 at 16:20 -0400, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_domain.patch
> >>>>
> >>>> Fix interface descriptions
> >>>>
> >>>> Lots of new domains.
> >>>>
> >>>> Added polydomain
> >>>
> >>> What is the purpose of polydomain?
> >>>
> >>
> >> If I have a polinstatiated homedir like on an MLS machine. When login
> >> programs creates the homedir it needs to populate it with content from
> >> /etc/skel. When it does this, it needs to relabel it to user homedir
> >> content.
> >
> > That sounds like rules in auth_login_pgm_domain() that should already
> > exist.
> >
> >> tunable_policy(`allow_polyinstantiation',`
> >> files_polyinstantiate_all(polydomain)
> >> userdom_manage_user_home_content_dirs(polydomain)
> >> userdom_manage_user_home_content_files(polydomain)
> >> userdom_relabelto_user_home_dirs(polydomain)
> >> userdom_relabelto_user_home_files(polydomain)
> >> '
> >
> The rules do not exist there currently other then
> files_polyinstantiate_all(polydomain)
>
> We could move this there or eliminate it and use the attribute save
> hundreds/thousands of rules.
I'd prefer it as part of the auth_login_pgm_domain(), since that is what
the concept is. If you want to look at turning that interface into an
attribute with rules in authlogin.te then that would be fine.
If you're that concerned about the rule count, perhaps you could
convince Red Hat to invest some time in an optimizing policy
compiler? :)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
@ 2009-11-12 20:59 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-11-12 20:59 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_domain.patch
F12 domain
moved a lot of stuff out to use an attribute
added a getsched interface
And several other global interfaces
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
@ 2009-05-21 15:19 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-05-21 15:19 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_domain.patch
Add search_dir_perms to domain search
Add interface to define domain_mmap_low_type So I can have the attribute
without the right. Then I can write the allow rule with a boolean.
Add attribute polydomain which can turn on and off
allow_polyinstatiation boolean.
Lots of global allows to prevent spurious avc messages.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
@ 2009-03-04 21:36 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-03-04 21:36 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_domain.patch
Add interface domain_mmap_low and write it so it can be controled by boolean
Lots of stuff to stop random bogus avc's
Add polydomain interface to allow polyinstation boolean
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmu9EsACgkQrlYvE4MpobPuBACfa+EDtybTaaWaijAQKc1Q3N7E
D8cAoNcDiu1svMk18IJEHCzTqYn8b5iI
=vedN
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_domain.patch
@ 2008-11-25 21:55 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2008-11-25 21:55 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_domain.patch
Separate the type for domains that can mmap_zero from the actual ability
to set mmap_zero so we can use a boolean to set this ability. If we
ever got the ability to have attributes surrounded by booleans, this
type of hacking would not be necessary.
Allow all unconfined_domains to set chat with all domains.
Allow unconfined domains to write to all domains proc files
A bunch of domain prevent dumb avcs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkksdG8ACgkQrlYvE4MpobMawQCeMaHw+nTBbUlKv0mGaLg48kZ/
wroAoJjrbmP2GSI3cJ6iBf19fEBNKtP7
=zkYf
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2010-08-26 22:46 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-02-23 22:08 [refpolicy] kernel_domain.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 22:46 Daniel J Walsh
2010-06-02 20:20 Daniel J Walsh
2010-06-04 13:39 ` Christopher J. PeBenito
2010-06-04 13:52 ` Daniel J Walsh
2010-06-07 12:51 ` Christopher J. PeBenito
2010-06-07 13:27 ` Daniel J Walsh
2010-06-07 13:46 ` Christopher J. PeBenito
2009-11-12 20:59 Daniel J Walsh
2009-05-21 15:19 Daniel J Walsh
2009-03-04 21:36 Daniel J Walsh
2008-11-25 21:55 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.