All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] Refpolicy status
@ 2011-04-27 18:36 Christopher J. PeBenito
  2011-04-27 19:12 ` Dominick Grift
  0 siblings, 1 reply; 8+ messages in thread
From: Christopher J. PeBenito @ 2011-04-27 18:36 UTC (permalink / raw)
  To: refpolicy

Since the list has been quiet lately, I have been looking through the
Fedora git repo for things to upstream.  Please let me know if there are
particular things that you think should be upstreamed.

Known things that are still contentious:
* user_type attributes
* admin home dir type
* "leaks" interfaces
* inherited permission sets/interfaces
* systemd -- I believe this is too different from traditional init_t and
warrants its own full policy
* unconfined/unconfineduser module split design

Known unacceptable things:
* unlabelednet module and corenet_enable_unlabeled_packets()

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 8+ messages in thread
* [refpolicy] Refpolicy status
  2011-04-27 18:36 [refpolicy] Refpolicy status Christopher J. PeBenito
@ 2011-04-27 19:12 ` Dominick Grift
  2011-04-29 13:38   ` Christopher J. PeBenito
  0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2011-04-27 19:12 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2011 08:36 PM, Christopher J. PeBenito wrote:
> Please let me know if there are particular things that you think should be upstreamed.

Consider synchronizing the cgroup module (also filesystem.fc wrt
cgroup). You may also want have a look at cobblers policy and its
dependencies to see if any of it can be merged.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk24aoQACgkQMlxVo39jgT9mrwCfdDeikdi2DUhklUbngTjNxFUt
96IAn0uJCTv1H4vCKQjZULXIOBfq1cm+
=ntE0
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 8+ messages in thread
* [refpolicy] Refpolicy status
  2011-04-27 19:12 ` Dominick Grift
@ 2011-04-29 13:38   ` Christopher J. PeBenito
  2011-04-29 13:43     ` Dominick Grift
  0 siblings, 1 reply; 8+ messages in thread
From: Christopher J. PeBenito @ 2011-04-29 13:38 UTC (permalink / raw)
  To: refpolicy

On 04/27/11 15:12, Dominick Grift wrote:
> On 04/27/2011 08:36 PM, Christopher J. PeBenito wrote:
>> Please let me know if there are particular things that you think should be upstreamed.
> 
> Consider synchronizing the cgroup module (also filesystem.fc wrt
> cgroup). You may also want have a look at cobblers policy and its
> dependencies to see if any of it can be merged.

Ok, I already got the filesystem.fc merged in, but its rearranged, so it
looks like a diff between the two trees.  I'll look at the cgroup and
cobbler modules.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 8+ messages in thread
* [refpolicy] Refpolicy status
  2011-04-29 13:38   ` Christopher J. PeBenito
@ 2011-04-29 13:43     ` Dominick Grift
  2011-04-29 13:53       ` Christopher J. PeBenito
  0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2011-04-29 13:43 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 03:38 PM, Christopher J. PeBenito wrote:
> 
> Ok, I already got the filesystem.fc merged in, but its rearranged, so it
> looks like a diff between the two trees.  I'll look at the cgroup and
> cobbler modules.
> 

If you decide to merge cgroup changes then keep in mind that cgroup_t
needs to associate with sysfs_t devices. (filesystem.te:
dev_associate_sysfs(cgroup_t))

This cgroup/sysfs change is mainly for systemd. libcgroup still
installs/uses the /cgroup by default.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk26wG4ACgkQMlxVo39jgT8WFwCeI9IdQBmXc7fr2+NZHKAfDhhv
vngAoMjPdchO+SjW/ggQZAPxDTunjp69
=gWhG
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 8+ messages in thread
* [refpolicy] Refpolicy status
  2011-04-29 13:43     ` Dominick Grift
@ 2011-04-29 13:53       ` Christopher J. PeBenito
  2011-04-29 14:31         ` Dominick Grift
  0 siblings, 1 reply; 8+ messages in thread
From: Christopher J. PeBenito @ 2011-04-29 13:53 UTC (permalink / raw)
  To: refpolicy

On 04/29/11 09:43, Dominick Grift wrote:
> On 04/29/2011 03:38 PM, Christopher J. PeBenito wrote:
> 
>> Ok, I already got the filesystem.fc merged in, but its rearranged, so it
>> looks like a diff between the two trees.  I'll look at the cgroup and
>> cobbler modules.
> 
> 
> If you decide to merge cgroup changes then keep in mind that cgroup_t
> needs to associate with sysfs_t devices. (filesystem.te:
> dev_associate_sysfs(cgroup_t))
> 
> This cgroup/sysfs change is mainly for systemd. libcgroup still
> installs/uses the /cgroup by default.

So this means that the /sys fc lines are for systemd systems too, right?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 8+ messages in thread
* [refpolicy] Refpolicy status
  2011-04-29 13:53       ` Christopher J. PeBenito
@ 2011-04-29 14:31         ` Dominick Grift
  2011-04-29 14:36           ` Dominick Grift
  0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2011-04-29 14:31 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 03:53 PM, Christopher J. PeBenito wrote:
> On 04/29/11 09:43, Dominick Grift wrote:
>> On 04/29/2011 03:38 PM, Christopher J. PeBenito wrote:
>>
>>> Ok, I already got the filesystem.fc merged in, but its rearranged, so it
>>> looks like a diff between the two trees.  I'll look at the cgroup and
>>> cobbler modules.
>>
>>
>> If you decide to merge cgroup changes then keep in mind that cgroup_t
>> needs to associate with sysfs_t devices. (filesystem.te:
>> dev_associate_sysfs(cgroup_t))
>>
>> This cgroup/sysfs change is mainly for systemd. libcgroup still
>> installs/uses the /cgroup by default.
> 
> So this means that the /sys fc lines are for systemd systems too, right?
> 

right. systemd mounts cgroup on:

/sys/fs/cgroup	-d	gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup(/.*)?	<<none>>

but libcgroup mounts cgroup by default on:

/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
/cgroup/.*		<<none>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk26y8QACgkQMlxVo39jgT8E+ACfWkJoysYDqHOY8v6T4jS9KKwT
NmEAoKmgoHcM2ckF/dH3l3zjp9SEphdm
=sDFu
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 8+ messages in thread
* [refpolicy] Refpolicy status
  2011-04-29 14:31         ` Dominick Grift
@ 2011-04-29 14:36           ` Dominick Grift
  2011-04-29 14:56             ` Daniel J Walsh
  0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2011-04-29 14:36 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 04:31 PM, Dominick Grift wrote:

> /sys/fs/cgroup(/.*)?	<<none>>

That should be /sys/fs/cgroup/.* too i guess.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk26zQEACgkQMlxVo39jgT/ToQCgsM7Zat1XcTBpv3Hi5sNQVKXw
7FwAnjrvsUhCZ28r0/QPhiOUoE0FXY/N
=0Yfh
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 8+ messages in thread
* [refpolicy] Refpolicy status
  2011-04-29 14:36           ` Dominick Grift
@ 2011-04-29 14:56             ` Daniel J Walsh
  0 siblings, 0 replies; 8+ messages in thread
From: Daniel J Walsh @ 2011-04-29 14:56 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 10:36 AM, Dominick Grift wrote:
> On 04/29/2011 04:31 PM, Dominick Grift wrote:
> 
>> /sys/fs/cgroup(/.*)?	<<none>>
> 
> That should be /sys/fs/cgroup/.* too i guess.
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy

They are about to move /selinux to /sys/fs/selinux also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk260Z8ACgkQrlYvE4MpobM9rACeOtXRqV1PFwgPXmoKgcmefwo4
M+AAn0tVgsCBjSRncKLFOPXd/YNLMP8G
=HXTy
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2011-04-29 14:56 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-04-27 18:36 [refpolicy] Refpolicy status Christopher J. PeBenito
2011-04-27 19:12 ` Dominick Grift
2011-04-29 13:38   ` Christopher J. PeBenito
2011-04-29 13:43     ` Dominick Grift
2011-04-29 13:53       ` Christopher J. PeBenito
2011-04-29 14:31         ` Dominick Grift
2011-04-29 14:36           ` Dominick Grift
2011-04-29 14:56             ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.