SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Lukas Vrabec <lvrabec@redhat.com>
To: Jason Zaman <jason@perfinion.com>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: New boolean for using bluetooth
Date: Fri, 26 Apr 2019 11:23:32 +0200
Message-ID: <b518646c-2c69-8c6a-fceb-a7b20b39f525@redhat.com> (raw)
In-Reply-To: <20190426090238.GA33764@baraddur.perfinion.com>

[-- Attachment #1.1: Type: text/plain, Size: 1587 bytes --]

On 4/26/19 11:02 AM, Jason Zaman wrote:
> On Thu, Apr 25, 2019 at 06:58:27PM +0200, Lukas Vrabec wrote:
>> Hi All,
>>
>> I added new SELinux boolean[1][2] to Fedora SELinux policy called
>> deny_bluetooth.
>>
>> I would like to push it also to refpolicy, however, refpolicy is not
>> using bluetooth_socket at all, it's defined in policy but not used by
>> any SELinux domain. Can I create patch also with adding these rules from
>> Fedora policy? And also, for some reason my colleagues didn't follow
>> name conventions of global booleans with refpolicy (I didn't find any
>> deny_* boolean in refpolicy). So if it make sense to add these kind of
>> boolean also to refpolicy, should I defined it as allow_bluetooth ?
> 
> I'd love for these to be upstreamed! but yes it should be named
> "allow_bluetooth" and should be default disabled. Refpolicy doenst have
> any deny_* booleans, and always defaults to disable.
> (When we pull down into gentoo some booleans are default enabled but
> upstream always goes the secure route.)
> 

I see, okay. I will send patch shortly.

Thanks,
Lukas.

> -- Jason
> 
>> [1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
>> [2]
>> https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5
>>
>> Thanks,
>> Lukas.
>>
>> -- 
>> Lukas Vrabec
>> Senior Software Engineer, Security Technologies
>> Red Hat, Inc.
>>
> 
> 
> 


-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

      reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-25 16:58 Lukas Vrabec
2019-04-26  0:04 ` Russell Coker
2019-04-26  9:02 ` Jason Zaman
2019-04-26  9:23   ` Lukas Vrabec [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b518646c-2c69-8c6a-fceb-a7b20b39f525@redhat.com \
    --to=lvrabec@redhat.com \
    --cc=jason@perfinion.com \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox