SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* New boolean for using bluetooth
@ 2019-04-25 16:58 Lukas Vrabec
  2019-04-26  0:04 ` Russell Coker
  2019-04-26  9:02 ` Jason Zaman
  0 siblings, 2 replies; 4+ messages in thread
From: Lukas Vrabec @ 2019-04-25 16:58 UTC (permalink / raw)
  To: selinux-refpolicy

[-- Attachment #1.1: Type: text/plain, Size: 914 bytes --]

Hi All,

I added new SELinux boolean[1][2] to Fedora SELinux policy called
deny_bluetooth.

I would like to push it also to refpolicy, however, refpolicy is not
using bluetooth_socket at all, it's defined in policy but not used by
any SELinux domain. Can I create patch also with adding these rules from
Fedora policy? And also, for some reason my colleagues didn't follow
name conventions of global booleans with refpolicy (I didn't find any
deny_* boolean in refpolicy). So if it make sense to add these kind of
boolean also to refpolicy, should I defined it as allow_bluetooth ?

[1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
[2]
https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5

Thanks,
Lukas.

-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: New boolean for using bluetooth
  2019-04-25 16:58 New boolean for using bluetooth Lukas Vrabec
@ 2019-04-26  0:04 ` Russell Coker
  2019-04-26  9:02 ` Jason Zaman
  1 sibling, 0 replies; 4+ messages in thread
From: Russell Coker @ 2019-04-26  0:04 UTC (permalink / raw)
  To: Lukas Vrabec, selinux-refpolicy

SE Linux is based on a default deny model. So failing to allow something means denying it at the lowest levels of policy. So probably a deny boolean is a bad idea.

As for writing a patch, is Fedora still way different from upstream? If so you need to separately do the patch for upstream.

On 26 April 2019 2:58:27 am AEST, Lukas Vrabec <lvrabec@redhat.com> wrote:
>Hi All,
>
>I added new SELinux boolean[1][2] to Fedora SELinux policy called
>deny_bluetooth.
>
>I would like to push it also to refpolicy, however, refpolicy is not
>using bluetooth_socket at all, it's defined in policy but not used by
>any SELinux domain. Can I create patch also with adding these rules
>from
>Fedora policy? And also, for some reason my colleagues didn't follow
>name conventions of global booleans with refpolicy (I didn't find any
>deny_* boolean in refpolicy). So if it make sense to add these kind of
>boolean also to refpolicy, should I defined it as allow_bluetooth ?
>
>[1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
>[2]
>https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5
>
>Thanks,
>Lukas.

-- 
Sent from my Huawei Mate 9 with K-9 Mail.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: New boolean for using bluetooth
  2019-04-25 16:58 New boolean for using bluetooth Lukas Vrabec
  2019-04-26  0:04 ` Russell Coker
@ 2019-04-26  9:02 ` Jason Zaman
  2019-04-26  9:23   ` Lukas Vrabec
  1 sibling, 1 reply; 4+ messages in thread
From: Jason Zaman @ 2019-04-26  9:02 UTC (permalink / raw)
  To: Lukas Vrabec; +Cc: selinux-refpolicy

On Thu, Apr 25, 2019 at 06:58:27PM +0200, Lukas Vrabec wrote:
> Hi All,
> 
> I added new SELinux boolean[1][2] to Fedora SELinux policy called
> deny_bluetooth.
> 
> I would like to push it also to refpolicy, however, refpolicy is not
> using bluetooth_socket at all, it's defined in policy but not used by
> any SELinux domain. Can I create patch also with adding these rules from
> Fedora policy? And also, for some reason my colleagues didn't follow
> name conventions of global booleans with refpolicy (I didn't find any
> deny_* boolean in refpolicy). So if it make sense to add these kind of
> boolean also to refpolicy, should I defined it as allow_bluetooth ?

I'd love for these to be upstreamed! but yes it should be named
"allow_bluetooth" and should be default disabled. Refpolicy doenst have
any deny_* booleans, and always defaults to disable.
(When we pull down into gentoo some booleans are default enabled but
upstream always goes the secure route.)

-- Jason

> [1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
> [2]
> https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5
> 
> Thanks,
> Lukas.
> 
> -- 
> Lukas Vrabec
> Senior Software Engineer, Security Technologies
> Red Hat, Inc.
> 




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: New boolean for using bluetooth
  2019-04-26  9:02 ` Jason Zaman
@ 2019-04-26  9:23   ` Lukas Vrabec
  0 siblings, 0 replies; 4+ messages in thread
From: Lukas Vrabec @ 2019-04-26  9:23 UTC (permalink / raw)
  To: Jason Zaman; +Cc: selinux-refpolicy

[-- Attachment #1.1: Type: text/plain, Size: 1587 bytes --]

On 4/26/19 11:02 AM, Jason Zaman wrote:
> On Thu, Apr 25, 2019 at 06:58:27PM +0200, Lukas Vrabec wrote:
>> Hi All,
>>
>> I added new SELinux boolean[1][2] to Fedora SELinux policy called
>> deny_bluetooth.
>>
>> I would like to push it also to refpolicy, however, refpolicy is not
>> using bluetooth_socket at all, it's defined in policy but not used by
>> any SELinux domain. Can I create patch also with adding these rules from
>> Fedora policy? And also, for some reason my colleagues didn't follow
>> name conventions of global booleans with refpolicy (I didn't find any
>> deny_* boolean in refpolicy). So if it make sense to add these kind of
>> boolean also to refpolicy, should I defined it as allow_bluetooth ?
> 
> I'd love for these to be upstreamed! but yes it should be named
> "allow_bluetooth" and should be default disabled. Refpolicy doenst have
> any deny_* booleans, and always defaults to disable.
> (When we pull down into gentoo some booleans are default enabled but
> upstream always goes the secure route.)
> 

I see, okay. I will send patch shortly.

Thanks,
Lukas.

> -- Jason
> 
>> [1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
>> [2]
>> https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5
>>
>> Thanks,
>> Lukas.
>>
>> -- 
>> Lukas Vrabec
>> Senior Software Engineer, Security Technologies
>> Red Hat, Inc.
>>
> 
> 
> 


-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-25 16:58 New boolean for using bluetooth Lukas Vrabec
2019-04-26  0:04 ` Russell Coker
2019-04-26  9:02 ` Jason Zaman
2019-04-26  9:23   ` Lukas Vrabec

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox