From: antoine <antoine@nagafix.co.uk>
To: ivg2@cornell.edu
Cc: SELinux <selinux@tycho.nsa.gov>, walters@redhat.com
Subject: Re: mdadm policy
Date: Fri, 24 Jun 2005 10:35:11 +0100 [thread overview]
Message-ID: <1119605711.9645.28.camel@localhost> (raw)
In-Reply-To: <1119577846.20101.26.camel@localhost.localdomain>
> (1) It allows everything the program wants to do, regardless
> of whether it is a good idea.
> > "I think it should probably use macros for shlib and
ptys, and use dontaudit instead of allow for some of the devices"
AFAIK, the only one I had missed in the statement above was the tmpfs.
I'll admit I was going to keep zero_device_t and a few others...
> (2) It is not organized in any sensible way. Sensible way means
> making use of existing macros, grouping rules together,
> and commenting *everything* with the purpose for adding
> that rule (or better yet group of rules) - this is the
> overall action that you want to allow with this block of rules.
As above. Once the devices are gone and you use macros where possible,
it kind of organises itself.
> (3) It adds primitive rules for things already present in macros.
> For example, the daemon_domain covers the transition.
Missed that little one, thanks. (no harm done)
> (4)...and there's numerous specific things wrong with it,
Numerous? That covers pretty much everything already! It isn't that big
> that I won't go into....starting from lack of exec_type on
> the bin_type, not following naming conventions, etc..
bin_type: Ooops.
What naming conventions did I miss?
Thanks for the policy, it is definitely much cleaner with macros
(although fundamentally not that different - which is good news for me),
Just few questions, does it really need:
* read access to all of etc_t and etc_runtime_t?
* self:capability dac_override ipc_lock
* read_sysctl(mdadm_t)
* r_dir_file(mdadm_t, sysfs_t)
* read_locale(mdadm_t)
Anyone know? Mine works without them.
I guess it allows execution of /bin and /sbin for the "PROGRAM" user
defined action, so I could keep it more restricted by only allowing
execution of sendmail_exec_t for my use. Since this is the only
statement in the policy that allows execution of external code, it feels
like the most important place to put restrictions on.
Thanks
Antoine
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-06-24 9:45 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-23 23:27 mdadm policy antoine
2005-06-24 1:50 ` Ivan Gyurdiev
2005-06-24 9:35 ` antoine [this message]
2005-06-24 15:41 ` Ivan Gyurdiev
2005-06-24 15:58 ` Colin Walters
2005-06-24 16:35 ` antoine
2005-06-24 17:46 ` Ivan Gyurdiev
2005-06-24 18:02 ` antoine
2005-06-24 19:05 ` Ivan Gyurdiev
2005-06-24 19:27 ` antoine
2005-06-24 19:29 ` Ivan Gyurdiev
2005-06-24 19:43 ` Stephen Smalley
2005-06-25 3:42 ` Daniel J Walsh
2005-06-24 19:47 ` Stephen Smalley
2005-06-24 11:29 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1119605711.9645.28.camel@localhost \
--to=antoine@nagafix.co.uk \
--cc=ivg2@cornell.edu \
--cc=selinux@tycho.nsa.gov \
--cc=walters@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.