* [refpolicy] services_snmp.patch
@ 2010-08-26 22:21 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:21 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_snmp.patch
Fix label
add capabilityes
tmpfs /var/run
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx26OEACgkQrlYvE4MpobP/VwCcDtmyduG99caqwqzMFz5oKl4E
T8wAn1Yvdnn851Io/n6Izu3wusuQxmrR
=W9Fk
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
@ 2010-02-23 20:58 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2010-02-23 20:58 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_snmp.patch
Needs chown
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
2009-11-12 22:00 Daniel J Walsh
@ 2010-01-07 14:01 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2010-01-07 14:01 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-11-12 at 17:00 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_snmp.patch
>
> new interfaces
>
> Listens on agentx
>
> sends itself signals.
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
@ 2009-11-12 22:00 Daniel J Walsh
2010-01-07 14:01 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2009-11-12 22:00 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_snmp.patch
new interfaces
Listens on agentx
sends itself signals.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
2009-03-05 17:04 Daniel J Walsh
@ 2009-05-14 15:15 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2009-05-14 15:15 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-03-05 at 13:04 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>
> snmpd has a new dirctory and files under need correct labeling.
>
>
> connects to agentx port.
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
@ 2009-03-05 17:04 Daniel J Walsh
2009-05-14 15:15 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2009-03-05 17:04 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
snmpd has a new dirctory and files under need correct labeling.
connects to agentx port.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmwBhYACgkQrlYvE4MpobPDhwCgikis5kheEfnDYg8ZzKUgswkQ
u3sAoKo+EN1mdLJI+zUdm2uQ5wP+8/3E
=UDii
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
2008-12-04 19:26 ` Christopher J. PeBenito
@ 2008-12-04 19:30 ` Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2008-12-04 19:30 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Thu, 2008-12-04 at 14:21 -0500, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Wed, 2008-12-03 at 18:09 -0500, Daniel J Walsh wrote:
>>>> Christopher J. PeBenito wrote:
>>>>> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
>>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>>>>>>
>>>>>> Communicates with virtual machines and xen machines
>>>>> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
>>>>>
>>>>> Merged with some other tweaks.
>>>>>
>>>> But the xen stuff is optional while the kernel* calls are not. So if
>>>> you used a policy without xen policy you still want to use the xen device.
>>> That doesn't make any sense to me. Why would it still be using the xen
>>> proc interfaces if there is no xen?
>>>
>> If I have xen devices defined but use some policy other the xen, say
>> initrc_t, or myxen or expanded virt whatever. The devices are defined
>> in device.te and other xen calls are defined in xen.if, they are not the
>> same.
>
> But we're not talking about devices, we're talking about proc entries.
> I wouldn't expect those proc entries to exist except on a xen system, in
> which case you also need the xen policy.
>
You would need policy but not necessarily the interfaces that are
defined in xen.if.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk4L8IACgkQrlYvE4MpobP3dgCguKA5tqeXcJobVIZ3XySQ5GyU
19cAoLVgDsklyeXzOLnJY3tNJpbNApWy
=w2PZ
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
2008-12-04 19:21 ` Daniel J Walsh
@ 2008-12-04 19:26 ` Christopher J. PeBenito
2008-12-04 19:30 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-12-04 19:26 UTC (permalink / raw)
To: refpolicy
On Thu, 2008-12-04 at 14:21 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2008-12-03 at 18:09 -0500, Daniel J Walsh wrote:
> >> Christopher J. PeBenito wrote:
> >>> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
> >>>>
> >
> >>>> Communicates with virtual machines and xen machines
> >>> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
> >>>
> >>> Merged with some other tweaks.
> >>>
> >> But the xen stuff is optional while the kernel* calls are not. So if
> >> you used a policy without xen policy you still want to use the xen device.
> >
> > That doesn't make any sense to me. Why would it still be using the xen
> > proc interfaces if there is no xen?
> >
> If I have xen devices defined but use some policy other the xen, say
> initrc_t, or myxen or expanded virt whatever. The devices are defined
> in device.te and other xen calls are defined in xen.if, they are not the
> same.
But we're not talking about devices, we're talking about proc entries.
I wouldn't expect those proc entries to exist except on a xen system, in
which case you also need the xen policy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
2008-12-04 13:07 ` Christopher J. PeBenito
@ 2008-12-04 19:21 ` Daniel J Walsh
2008-12-04 19:26 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-12-04 19:21 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Wed, 2008-12-03 at 18:09 -0500, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>>>>
>
>>>> Communicates with virtual machines and xen machines
>>> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
>>>
>>> Merged with some other tweaks.
>>>
>> But the xen stuff is optional while the kernel* calls are not. So if
>> you used a policy without xen policy you still want to use the xen device.
>
> That doesn't make any sense to me. Why would it still be using the xen
> proc interfaces if there is no xen?
>
If I have xen devices defined but use some policy other the xen, say
initrc_t, or myxen or expanded virt whatever. The devices are defined
in device.te and other xen calls are defined in xen.if, they are not the
same.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk4LasACgkQrlYvE4MpobOLgwCgpL8yoeXsexzvi0Gr57gSc3+6
Bi0AnRrajphTVGCcuoo4hBCG3W+P/ats
=E5Oo
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
2008-12-03 23:09 ` Daniel J Walsh
@ 2008-12-04 13:07 ` Christopher J. PeBenito
2008-12-04 19:21 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-12-04 13:07 UTC (permalink / raw)
To: refpolicy
On Wed, 2008-12-03 at 18:09 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
> >>
> >> Communicates with virtual machines and xen machines
> >
> > I put the kernel_*_xen_state() calls in with the other xen_*() calls.
> >
> > Merged with some other tweaks.
> >
> But the xen stuff is optional while the kernel* calls are not. So if
> you used a policy without xen policy you still want to use the xen device.
That doesn't make any sense to me. Why would it still be using the xen
proc interfaces if there is no xen?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
2008-12-03 15:32 ` Christopher J. PeBenito
@ 2008-12-03 23:09 ` Daniel J Walsh
2008-12-04 13:07 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-12-03 23:09 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>>
>> Add initrc labeling support
>>
>> /var/agentx needs a label
>>
>> Clean up admin interface
>>
>> snmp needs getsched, setsched
>>
>> needs ipc_lock and sys_ptrace
>
> These two caps came up earlier this week; it makes me wonder if there is
> any similarity (does it fit into a pattern?). The other one had kill
> (was already on snmpd_t), sys_ptrace, and ipc_lock too. Snmpd doesn't
> have process ptrace or process sigkill perms, which is why this seems
> questionable.
>
>> Reads file systems and rw xen state
>>
>> Dontaudit ptrace domains
>>
>> Checks all executables
>>
>> Does walks of the file systems
>>
>> Execs consoletype,
>>
>> Communicates with virtual machines and xen machines
>
> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
>
> Merged with some other tweaks.
>
But the xen stuff is optional while the kernel* calls are not. So if
you used a policy without xen policy you still want to use the xen device.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk3EY8ACgkQrlYvE4MpobO+nQCg1ozrEtSEdzZF7IQFPf0tIQBU
7UMAoJjaTXO/FEb7E00jOHWNf0P/NyhV
=QpHl
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
2008-11-25 21:23 Daniel J Walsh
@ 2008-12-03 15:32 ` Christopher J. PeBenito
2008-12-03 23:09 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-12-03 15:32 UTC (permalink / raw)
To: refpolicy
On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>
> Add initrc labeling support
>
> /var/agentx needs a label
>
> Clean up admin interface
>
> snmp needs getsched, setsched
>
> needs ipc_lock and sys_ptrace
These two caps came up earlier this week; it makes me wonder if there is
any similarity (does it fit into a pattern?). The other one had kill
(was already on snmpd_t), sys_ptrace, and ipc_lock too. Snmpd doesn't
have process ptrace or process sigkill perms, which is why this seems
questionable.
> Reads file systems and rw xen state
>
> Dontaudit ptrace domains
>
> Checks all executables
>
> Does walks of the file systems
>
> Execs consoletype,
>
> Communicates with virtual machines and xen machines
I put the kernel_*_xen_state() calls in with the other xen_*() calls.
Merged with some other tweaks.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
@ 2008-11-25 21:23 Daniel J Walsh
2008-12-03 15:32 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-11-25 21:23 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
Add initrc labeling support
/var/agentx needs a label
Clean up admin interface
snmp needs getsched, setsched
needs ipc_lock and sys_ptrace
Reads file systems and rw xen state
Dontaudit ptrace domains
Checks all executables
Does walks of the file systems
Execs consoletype,
Communicates with virtual machines and xen machines
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkksbLsACgkQrlYvE4MpobP57ACghH24LKJxtDVZubED0I1SFz9W
wbcAoKju0ijZln4lOszOFqTlR1gIWh5L
=TjEz
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snmp.patch
@ 2008-10-14 19:33 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-14 19:33 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snmp.patch
Add iniscript labeling
Add label for /var/agentx
Fix admin interface
Needs sys_ptrace
Needs getsched and setsched
Reads fs_sysctls
Tries to ptrace all domsains.
Needs execute on all entry files
Wants to read all files on the system
uses getpw so needs auth_use_nsswitch
execs consoletype.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkj09AMACgkQrlYvE4MpobPgBACfTodfNCvKMwdonOX6TRQNoDHj
oU8AoLGHmbMI20PFWsIVZuKJMUjnEqkd
=pxhI
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2010-08-26 22:21 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-08-26 22:21 [refpolicy] services_snmp.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-02-23 20:58 Daniel J Walsh
2009-11-12 22:00 Daniel J Walsh
2010-01-07 14:01 ` Christopher J. PeBenito
2009-03-05 17:04 Daniel J Walsh
2009-05-14 15:15 ` Christopher J. PeBenito
2008-11-25 21:23 Daniel J Walsh
2008-12-03 15:32 ` Christopher J. PeBenito
2008-12-03 23:09 ` Daniel J Walsh
2008-12-04 13:07 ` Christopher J. PeBenito
2008-12-04 19:21 ` Daniel J Walsh
2008-12-04 19:26 ` Christopher J. PeBenito
2008-12-04 19:30 ` Daniel J Walsh
2008-10-14 19:33 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.