From: Colin Walters <walters@verbum.org>
To: selinux@tycho.nsa.gov
Cc: Russell Coker <russell@coker.com.au>
Subject: screen.te zsh fixes
Date: 28 Jun 2003 02:36:37 -0400 [thread overview]
Message-ID: <1056782197.14920.85.camel@columbia> (raw)
[-- Attachment #1: Type: text/plain, Size: 425 bytes --]
Hi,
Similar fixes to screen.te needed for the zsh symlinks. Patch attached.
You know though, I am thinking more and more that we should treat
/etc/alternatives specially for setfiles. We could follow the symlink
and label it with the type of the file it points to. That way we
wouldn't have to add all these special etc_t:{lnk_file} { read }
permissions to various programs that are able to execute bin_t or
whatever.
[-- Attachment #2: screen-te.patch --]
[-- Type: text/plain, Size: 816 bytes --]
--- /usr/share/selinux/policy/default/macros/program/screen_macros.te Sat May 24 22:07:24 2003
+++ screen_macros.te Sat Jun 28 02:32:23 2003
@@ -63,7 +63,7 @@
allow $1_screen_t proc_t:dir search;
allow $1_screen_t proc_t:lnk_file read;
dontaudit $1_screen_t device_t:chr_file { getattr };
-allow $1_screen_t etc_t:file { read getattr };
+allow $1_screen_t etc_t:{file lnk_file} { read getattr };
allow $1_screen_t self:dir { search read };
allow $1_screen_t self:lnk_file { read };
allow $1_screen_t device_t:dir search;
@@ -72,6 +72,7 @@
allow $1_screen_t self:unix_stream_socket create_socket_perms;
can_exec($1_screen_t, shell_exec_t)
allow $1_screen_t bin_t:dir search;
+allow $1_screen_t bin_t:lnk_file { read };
dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
')
next reply other threads:[~2003-06-28 6:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-28 6:36 Colin Walters [this message]
2003-06-28 7:41 ` screen.te zsh fixes Russell Coker
2003-06-28 7:59 ` Colin Walters
2003-06-28 12:56 ` Bart Mallio
2003-06-29 4:38 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1056782197.14920.85.camel@columbia \
--to=walters@verbum.org \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.