From: Chris PeBenito <pebenito@ieee.org>
To: russell@coker.com.au
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login
Date: Thu, 3 Jan 2019 17:34:51 -0500 [thread overview]
Message-ID: <bd820fb1-f98d-3ade-3be0-eb76e5a7c431@ieee.org> (raw)
In-Reply-To: <1772308.Oo6GzzOkXA@xev>
On 1/2/19 8:27 PM, Russell Coker wrote:
> Would you like me to resubmit those patches or would you rather just add them
> with the changes you suggest?
My preference in this case would be resubmit.
> On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
>> On 1/2/19 3:40 AM, Russell Coker wrote:
>>> Lots of little things that are self-explanatory.
>>>
>>> Boinc has some unusual stuff for lsb_release -a and for mmaping
>>> ld.so.cache.
>>>
>>> Remove obsolete policy from syncthing as we have it in
>>> sysnet_dns_name_resolve().
>>
>> [...]
>>
>>> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
>>> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
>>
>> [...]
>>
>>> @@ -169,7 +173,7 @@ optional_policy(`
>>>
>>> #
>>>
>>> allow boinc_project_t self:capability { setgid setuid };
>>>
>>> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
>>> setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
>>> self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
>>> setsched signal signal_perms };
>> This change shouldn't be necessary since signal is already in signal_perms.
>>
>> [...]
>>
>>> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
>>> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
>>> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>>>
>>> #######################################
>>> ## <summary>
>>>
>>> +## relabel the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_relabel_lastlog',`
>>> + gen_require(`
>>> + type lastlog_t;
>>> + ')
>>> +
>>> + logging_search_logs($1)
>>> + allow $1 lastlog_t:file { relabelfrom relabelto };
>>> +')
>>> +
>>> +#######################################
>>> +## <summary>
>>>
>>> ## Read and write to the last logins log.
>>> ## </summary>
>>> ## <param name="domain">
>>>
>>> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
>>>
>>> ')
>>>
>>> ########################################
>>>
>>> +## <summary>
>>> +## Manage the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_manage_lastlog',`
>>> + gen_require(`
>>> + type lastlog_t;
>>> + ')
>>> +
>>> + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
>>
>> The relabel perms shouldn't be in here. I'd say split it into a new
>> interface, but you're adding the other interface earlier in the patch.
>
>
--
Chris PeBenito
prev parent reply other threads:[~2019-01-03 23:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-02 8:40 [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login Russell Coker
2019-01-02 23:52 ` Chris PeBenito
2019-01-03 1:27 ` Russell Coker
2019-01-03 22:34 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bd820fb1-f98d-3ade-3be0-eb76e5a7c431@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).