All of lore.kernel.org
 help / color / mirror / Atom feed
From: James Carter <jwcart2@gmail.com>
To: Richard Haines <richard_c_haines@btinternet.com>
Cc: Paul Moore <paul@paul-moore.com>,
	Dominick Grift <dominick.grift@defensec.nl>,
	SElinux list <selinux@vger.kernel.org>
Subject: Re: [SELinux-notebook PATCH v5] adds CIL policy with makefile
Date: Tue, 21 Jul 2020 14:37:53 -0400	[thread overview]
Message-ID: <CAP+JOzSrGLc3i=P-rPOnsLSLQnaZm+W7Xb4oNwjNDz4AquJpNA@mail.gmail.com> (raw)
In-Reply-To: <d37dcc1e21d3292c4112810c7d398d5590e14d14.camel@btinternet.com>

On Tue, Jul 21, 2020 at 12:56 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> On Tue, 2020-07-21 at 12:42 -0400, Paul Moore wrote:
> > On Sun, Jul 19, 2020 at 2:17 PM Dominick Grift
> > <dominick.grift@defensec.nl> wrote:
> > > This example CIL policy takes a different approach:
> > >
> > > 1. Leverages CIL
> > > 2. Installs using semodule to make it tunable at runtime (but you
> > > can obviously also use secilc to build a monolithic version and
> > > deploy that)
> > > 3. Makes few assumptions about variables
> > > 4. Leverages handleunknown allow and declares least required access
> > > vectors so that you can pick and choose which access vectors you
> > > want to use and ignore the remainder
> > > 5. Leverages unlabeled and file ISID and makes no assumptions about
> > > any volatile filesystems you may or may not use
> > > 6. As small and simple as reasonably possible, heavily documented
> > > 7. Modern, Requires SELinux 3.1
> > >
> > > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
> > > ---
> > > v2: rename XWAYLAND.md to XSERVER_XWAYLAND.md and cover both
> > > Xserver as well as Xwayland
> > > V3: fix typo in XSERVER_XWAYLAND.md and exclude x_contexts
> > > altogether
> > > v4: remove XSERVER_XWAYLAND and add the note to README.md, redo
> > > README.md and clean up cil-policy.cil
> > > v5: add -F to fixfiles onboot (onboot should probably just imply
> > > -F)
> > >
> > >  src/cil_overview.md                           |  11 +
> > >  src/notebook-examples/README.md               |   2 +
> > >  src/notebook-examples/cil-policy/Makefile     |  31 ++
> > >  src/notebook-examples/cil-policy/README.md    |  90 ++++
> > >  .../cil-policy/cil-policy.cil                 | 448
> > > ++++++++++++++++++
> > >  5 files changed, 582 insertions(+)
> > >  create mode 100644 src/notebook-examples/cil-policy/Makefile
> > >  create mode 100644 src/notebook-examples/cil-policy/README.md
> > >  create mode 100644 src/notebook-examples/cil-policy/cil-policy.cil
> >
> > James, Richard, you both had comments on previous drafts, does v3
> > look
> > good to you guys?
>
> Yes I've tested this (v4 & V5) a few times and okay on Fedora 32 WS.
>
> Acked-by: Richard Haines <richard_c_haines@btinternet.com>

Looks good.

Acked-by: James Carter <jwcart2@gmail.com>

>
>
> >
> > --
> > paul moore
> > www.paul-moore.com
>

  reply	other threads:[~2020-07-21 18:35 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-16 10:08 [SELinux-notebook PATCH] adds CIL policy with makefile Dominick Grift
2020-07-16 19:05 ` Richard Haines
2020-07-16 19:42   ` Dominick Grift
2020-07-16 20:02   ` [SELinux-notebook PATCH v2] " Dominick Grift
2020-07-16 20:11   ` [SELinux-notebook PATCH v3] " Dominick Grift
2020-07-18 10:48 ` [SELinux-notebook PATCH v4] " Dominick Grift
2020-07-19  8:52   ` Richard Haines
2020-07-19 18:17   ` [SELinux-notebook PATCH v5] " Dominick Grift
2020-07-21 16:42     ` Paul Moore
2020-07-21 16:56       ` Richard Haines
2020-07-21 18:37         ` James Carter [this message]
2020-07-21 21:08           ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAP+JOzSrGLc3i=P-rPOnsLSLQnaZm+W7Xb4oNwjNDz4AquJpNA@mail.gmail.com' \
    --to=jwcart2@gmail.com \
    --cc=dominick.grift@defensec.nl \
    --cc=paul@paul-moore.com \
    --cc=richard_c_haines@btinternet.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.