From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Latest updates
Date: Mon, 04 Sep 2006 11:15:46 -0400 [thread overview]
Message-ID: <1157382946.3199.211.camel@sgc> (raw)
In-Reply-To: <44F88DD4.6020804@redhat.com>
On Fri, 2006-09-01 at 15:45 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2006-08-31 at 15:16 -0400, Daniel J Walsh wrote:
> >> Fixing some labels to march what actually ends up on disk see /boot/grub
> >
> > These say /boot/grup; I assume this is a typo. Also they should be in
> > the files module.
on further review, why does /boot/grub/* need to be boot_runtime_t?
GRUB shouldn't be writing these files.
> >> Please change /opt java line to match what IBM ships
> >>
> >
> > I'm concerned this is too broad. Can we get additional, more specific
> > regexes?
> >
> >
> I went looking for this, and I believe it was placed in a IBM directory,
> but can not find it right now.
> Also not sure where BEA places there java.
I'm still going to have to drop this. The more complex regexs we have,
the more likely there will be fc sorting problems.
> >> Lots of domains need term_dontaudit_use_unallocated_ttys for startup
> >> from a tty.
> >>
> >
> > Can you clarify this? I don't know what you mean by "startup from a
> > tty".
> >
> >
> Log in to console terminals
>
> ctrl-alt-f1
>
> restart daemons, generated lots of avc messages when daemons try to talk
> to tty_device_t.
>
> you will see this same pattern on almost all daemons.
Ok, so this is a direct_run_init+targeted issue. Now it makes sense to
put it back into init_daemon_domain(). I'll take care of that.
> >> NetworkManager wants to ptrace itself
> >
> > I can't reproduce this on my notebook. Can you look more into this? It
> > seems highly irregular.
> >
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204161
I installed gdb to reproduce this, and I got the ptrace denial but
didn't get a sys_ptrace denial.
> > udev transition to dhcpc
> >
> It does when networks are plugged in, I believe.
Thats odd, because that sounds like networkmanager's job.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-09-04 15:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-31 19:16 Latest updates Daniel J Walsh
2006-09-01 15:51 ` Christopher J. PeBenito
2006-09-01 17:32 ` Eric Paris
2006-09-01 19:45 ` Daniel J Walsh
2006-09-04 15:15 ` Christopher J. PeBenito [this message]
2006-09-04 22:59 ` Russell Coker
2006-09-05 20:57 ` Daniel J Walsh
2006-09-11 9:49 ` Erich Schubert
2006-09-11 14:11 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2006-04-11 13:25 Latest Updates Daniel J Walsh
2006-04-12 17:01 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1157382946.3199.211.camel@sgc \
--to=cpebenito@tresys.com \
--cc=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.