* [refpolicy] services_setroubleshoot.patch
@ 2010-08-26 22:20 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:20 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_setroubleshoot.patch
Lots of fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx26J0ACgkQrlYvE4MpobNP1wCgwINTZPz4s7dTVYz4xleUjC+k
YrMAn1S6mnuES78Vt3X+z6wh3aQ2+mbs
=A6cl
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
@ 2010-02-23 22:13 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2010-02-23 22:13 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_setroubleshoot.patch
Policy to handle the fixit button in setroubleshoot.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
@ 2009-11-12 21:59 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2009-11-12 21:59 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_setroubleshoot.patch
setroubleshoot now has a fixit button.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
2009-07-20 18:27 ` Christopher J. PeBenito
@ 2009-07-20 19:40 ` Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2009-07-20 19:40 UTC (permalink / raw)
To: refpolicy
On 07/20/2009 02:27 PM, Christopher J. PeBenito wrote:
> On Tue, 2009-06-30 at 08:53 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_setroubleshoot.patch
>>
>> Removed initrc part of the patch.
>
> You have this:
>
> +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
> +allow setroubleshootd_t self:process { execmem execstack };
>
> Is this anticipated to be a temporary issue? If so, I'd prefer to keep
> it out of refpolicy upstream. Otherwise it would seem to be better to
> be in a distro_redhat.
>
Maybe make it a dontaudit?
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
2009-06-30 12:53 Daniel J Walsh
@ 2009-07-20 18:27 ` Christopher J. PeBenito
2009-07-20 19:40 ` Daniel J Walsh
0 siblings, 1 reply; 11+ messages in thread
From: Christopher J. PeBenito @ 2009-07-20 18:27 UTC (permalink / raw)
To: refpolicy
On Tue, 2009-06-30 at 08:53 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_setroubleshoot.patch
>
> Removed initrc part of the patch.
You have this:
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
Is this anticipated to be a temporary issue? If so, I'd prefer to keep
it out of refpolicy upstream. Otherwise it would seem to be better to
be in a distro_redhat.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
@ 2009-06-30 12:53 Daniel J Walsh
2009-07-20 18:27 ` Christopher J. PeBenito
0 siblings, 1 reply; 11+ messages in thread
From: Daniel J Walsh @ 2009-06-30 12:53 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_setroubleshoot.patch
Removed initrc part of the patch.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
2009-06-09 1:07 Daniel J Walsh
@ 2009-06-30 12:47 ` Christopher J. PeBenito
0 siblings, 0 replies; 11+ messages in thread
From: Christopher J. PeBenito @ 2009-06-30 12:47 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-06-08 at 21:07 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_setroubleshoot.patch
>
> La bel for initrc script
Isn't setroubleshoot no longer a daemon? If so, this likely needs to be
dropped.
> setroubleshoot uses dbus
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
@ 2009-06-09 1:07 Daniel J Walsh
2009-06-30 12:47 ` Christopher J. PeBenito
0 siblings, 1 reply; 11+ messages in thread
From: Daniel J Walsh @ 2009-06-09 1:07 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_setroubleshoot.patch
La bel for initrc script
setroubleshoot uses dbus
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
@ 2009-03-24 14:00 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2009-03-24 14:00 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_setroubleshoot.patch
setroubleshoot has been rewritten to use dbus
needs sys_nice
Will kill itself and send signals to itself
Lots reads net_sysctls.
if a process or file becomes unlabeled_t setroubleshoot will look at it
examines all devices on the system
examines all files for at least getattr
Sends audit messages
Examines binary policy for audit2why functionality
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
@ 2008-10-14 19:37 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2008-10-14 19:37 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_setroubleshoot.patch
Fix stream connect interface
Add _admin interface
Add sys_nice capability
Add initrc labeling
Needs to send sigkill and getsched
Reads net sysctls, tries to read all process Needs to be able to read
unlabled_t to report the problem.
Getattr on all chr and blk files
Needs to read all directories and getattr on all file types
Dontaudit use of nfs and cigs reads fusefs symlinks
sends audit messages
Reads the bin policy to do audit2why
Can be stated by dbus
Sens signull to rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkj09OIACgkQrlYvE4MpobM0NgCgzrtkoTIXKrGSHFl5w+ComLk/
CNkAoK4NG+kATbYPs/SEAAYbNxR9sg0O
=wk2I
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_setroubleshoot.patch
@ 2008-09-24 20:04 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2008-09-24 20:04 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_setroubleshoot.patch
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
Clean up stream interface
setroubleshoot sets sys_nice
send kill signals and sigkill to itself, plus getattr on itself
reads netsysctls
lists all processes
does a getattr on any file/device on the system to check context
can attempt to read nfs file systems
Sends audit messages
Now uses audit2why so needs to read binary policy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjanWAACgkQrlYvE4MpobOnCACaAoaPfdrj4YGgO93CwgsyRRXd
REEAn16r0mh+sXkrUSDy+ztKkXtpGTJC
=3c7+
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2010-08-26 22:20 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-08-26 22:20 [refpolicy] services_setroubleshoot.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-02-23 22:13 Daniel J Walsh
2009-11-12 21:59 Daniel J Walsh
2009-06-30 12:53 Daniel J Walsh
2009-07-20 18:27 ` Christopher J. PeBenito
2009-07-20 19:40 ` Daniel J Walsh
2009-06-09 1:07 Daniel J Walsh
2009-06-30 12:47 ` Christopher J. PeBenito
2009-03-24 14:00 Daniel J Walsh
2008-10-14 19:37 Daniel J Walsh
2008-09-24 20:04 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.