From: Paul Moore <paul.moore@hp.com>
To: selinux@tycho.nsa.gov, refpolicy@oss1.tresys.com
Subject: [RFC PATCH v1 0/2] Policy support for the new TUN hooks
Date: Tue, 25 Aug 2009 17:12:26 -0400 [thread overview]
Message-ID: <20090825210647.6250.56266.stgit@flek.lan> (raw)
These patches are my first attempt at drafting policy for the new TUN hooks,
any comments or feedback you have would be great. It is worth noting that
permission to create/attach to TUN/TAP devices was not granted to every
domain that has r/w access to the /dev/net/tun device as the operations are
very different; r/w access to /dev/net/tun does not mean the domain needs
the ability to create/attach TUN/TAP devices.
I've done some basic testing but I'm not having a lot of luck running the
current refpolicy on Fedora/Rawhide (unfortunately refpolicy and the current
Rawhide policy diverge quite a bit in a few important areas touched by these
patches), if anyone has any tips I'd love to hear them.
---
Paul Moore (2):
refpol: Policy for the new TUN driver access controls
refpol: Add the "tun_socket" object class flask definitions
policy/flask/access_vectors | 2 ++
policy/flask/security_classes | 2 ++
policy/modules/admin/vpn.te | 1 +
policy/modules/apps/qemu.if | 3 +++
policy/modules/apps/uml.te | 3 +++
policy/modules/services/openvpn.te | 1 +
policy/modules/services/virt.if | 19 +++++++++++++++++++
policy/modules/services/virt.te | 1 +
policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
policy/modules/system/userdomain.te | 2 ++
policy/modules/system/xen.te | 1 +
11 files changed, 58 insertions(+), 0 deletions(-)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: paul.moore@hp.com (Paul Moore)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC PATCH v1 0/2] Policy support for the new TUN hooks
Date: Tue, 25 Aug 2009 17:12:26 -0400 [thread overview]
Message-ID: <20090825210647.6250.56266.stgit@flek.lan> (raw)
These patches are my first attempt at drafting policy for the new TUN hooks,
any comments or feedback you have would be great. It is worth noting that
permission to create/attach to TUN/TAP devices was not granted to every
domain that has r/w access to the /dev/net/tun device as the operations are
very different; r/w access to /dev/net/tun does not mean the domain needs
the ability to create/attach TUN/TAP devices.
I've done some basic testing but I'm not having a lot of luck running the
current refpolicy on Fedora/Rawhide (unfortunately refpolicy and the current
Rawhide policy diverge quite a bit in a few important areas touched by these
patches), if anyone has any tips I'd love to hear them.
---
Paul Moore (2):
refpol: Policy for the new TUN driver access controls
refpol: Add the "tun_socket" object class flask definitions
policy/flask/access_vectors | 2 ++
policy/flask/security_classes | 2 ++
policy/modules/admin/vpn.te | 1 +
policy/modules/apps/qemu.if | 3 +++
policy/modules/apps/uml.te | 3 +++
policy/modules/services/openvpn.te | 1 +
policy/modules/services/virt.if | 19 +++++++++++++++++++
policy/modules/services/virt.te | 1 +
policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
policy/modules/system/userdomain.te | 2 ++
policy/modules/system/xen.te | 1 +
11 files changed, 58 insertions(+), 0 deletions(-)
next reply other threads:[~2009-08-25 21:12 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-25 21:12 Paul Moore [this message]
2009-08-25 21:12 ` [refpolicy] [RFC PATCH v1 0/2] Policy support for the new TUN hooks Paul Moore
2009-08-25 21:12 ` [RFC PATCH v1 1/2] refpol: Add the "tun_socket" object class flask definitions Paul Moore
2009-08-25 21:12 ` [refpolicy] " Paul Moore
2009-08-25 21:12 ` [RFC PATCH v1 2/2] refpol: Policy for the new TUN driver access controls Paul Moore
2009-08-25 21:12 ` [refpolicy] " Paul Moore
2009-08-26 12:49 ` Christopher J. PeBenito
2009-08-26 12:49 ` Christopher J. PeBenito
2009-08-26 14:32 ` Paul Moore
2009-08-26 14:32 ` Paul Moore
2009-08-27 13:54 ` Christopher J. PeBenito
2009-08-27 13:54 ` Christopher J. PeBenito
2009-08-27 14:08 ` Paul Moore
2009-08-27 14:08 ` Paul Moore
2009-08-28 12:33 ` Christopher J. PeBenito
2009-08-28 12:33 ` Christopher J. PeBenito
2009-08-28 14:48 ` Paul Moore
2009-08-28 14:48 ` Paul Moore
2009-08-28 15:49 ` Christopher J. PeBenito
2009-08-28 15:49 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090825210647.6250.56266.stgit@flek.lan \
--to=paul.moore@hp.com \
--cc=refpolicy@oss1.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.