* [refpolicy] apps_irc.patch @ 2010-06-02 20:05 Daniel J Walsh 2010-06-21 13:09 ` Christopher J. PeBenito 0 siblings, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2010-06-02 20:05 UTC (permalink / raw) To: refpolicy http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch isc policy updates from Dominic Grift. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] apps_irc.patch 2010-06-02 20:05 [refpolicy] apps_irc.patch Daniel J Walsh @ 2010-06-21 13:09 ` Christopher J. PeBenito 2010-06-21 14:53 ` Dominick Grift 0 siblings, 1 reply; 5+ messages in thread From: Christopher J. PeBenito @ 2010-06-21 13:09 UTC (permalink / raw) To: refpolicy On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch > > isc policy updates from Dominic Grift. Why does irssi need a special domain? Why can't it just use/augment the irc_t domain? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] apps_irc.patch 2010-06-21 13:09 ` Christopher J. PeBenito @ 2010-06-21 14:53 ` Dominick Grift 2010-06-22 12:51 ` Christopher J. PeBenito 0 siblings, 1 reply; 5+ messages in thread From: Dominick Grift @ 2010-06-21 14:53 UTC (permalink / raw) To: refpolicy On Mon, Jun 21, 2010 at 09:09:35AM -0400, Christopher J. PeBenito wrote: > On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote: > > http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch > > > > isc policy updates from Dominic Grift. > > Why does irssi need a special domain? Why can't it just use/augment the > irc_t domain? Because of this: allow irc_t self:unix_stream_socket create_stream_socket_perms; allow irc_t self:tcp_socket create_socket_perms; manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) kernel_read_proc_symlinks(irc_t) corenet_tcp_sendrecv_all_ports(irc_t) corenet_udp_sendrecv_all_ports(irc_t) corenet_tcp_connect_all_ports(irc_t) corenet_sendrecv_all_client_packets(irc_t) domain_use_interactive_fds(irc_t) files_dontaudit_search_pids(irc_t) files_search_var(irc_t) fs_getattr_xattr_fs(irc_t) term_use_controlling_term(irc_t) term_list_ptys(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) seutil_use_newrole_fds(irc_t) allow irssi_t self:process { signal sigkill }; allow irssi_t self:fifo_file rw_fifo_file_perms; allow irssi_t self:netlink_route_socket create_netlink_socket_perms; allow irssi_t self:tcp_socket create_stream_socket_perms; allow irssi_t irssi_etc_t:file read_file_perms; kernel_read_system_state(irssi_t) corecmd_read_bin_symlinks(irssi_t) corenet_udp_sendrecv_generic_node(irssi_t) corenet_tcp_connect_ircd_port(irssi_t) corenet_tcp_connect_http_cache_port(irssi_t) corenet_sendrecv_http_cache_client_packets(irssi_t) corenet_tcp_connect_gatekeeper_port(irssi_t) corenet_sendrecv_gatekeeper_client_packets(irssi_t) dev_read_urand(irssi_t) dev_read_rand(irssi_t) miscfiles_read_certs(irssi_t) tunable_policy(`irssi_use_full_network',` corenet_tcp_bind_all_unreserved_ports(irssi_t) corenet_tcp_connect_all_ports(irssi_t) corenet_sendrecv_all_client_packets(irssi_t) corenet_sendrecv_generic_server_packets(irssi_t) ') optional_policy(` automount_dontaudit_getattr_tmp_dirs(irssi_t) ') optional_policy(` nscd_socket_use(irssi_t ') I think its just too much overhead. Besides i do not agree with some of the security decisions made for the irc_t domain. So the best compromise in my view is to just add a new irssi_t domain to the existing irc module. That said, i think the patch that is in question here is not what i currently have in my repository. In my repository i have combined all policy that is common to both irc_t and irssi_t in a irc_domain section (attribute irc_domain for both irc_t, irssi_t) Also if i am not mistaken, i have submitted a patch where irssi was merged into the irc_t domain some time ago, That patch has not made it in either for some reason. > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100621/29e60178/attachment.bin ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] apps_irc.patch 2010-06-21 14:53 ` Dominick Grift @ 2010-06-22 12:51 ` Christopher J. PeBenito 0 siblings, 0 replies; 5+ messages in thread From: Christopher J. PeBenito @ 2010-06-22 12:51 UTC (permalink / raw) To: refpolicy On Mon, 2010-06-21 at 16:53 +0200, Dominick Grift wrote: > On Mon, Jun 21, 2010 at 09:09:35AM -0400, Christopher J. PeBenito wrote: > > On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote: > > > http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch > > > > > > isc policy updates from Dominic Grift. > > > > Why does irssi need a special domain? Why can't it just use/augment the > > irc_t domain? > > Because of this: > > allow irc_t self:unix_stream_socket create_stream_socket_perms; > allow irc_t self:tcp_socket create_socket_perms; > > manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) > manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) > manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) > manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) > manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) > files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) > > kernel_read_proc_symlinks(irc_t) > > corenet_tcp_sendrecv_all_ports(irc_t) > corenet_udp_sendrecv_all_ports(irc_t) > corenet_tcp_connect_all_ports(irc_t) > corenet_sendrecv_all_client_packets(irc_t) > > domain_use_interactive_fds(irc_t) > > files_dontaudit_search_pids(irc_t) > files_search_var(irc_t) > > fs_getattr_xattr_fs(irc_t) > > term_use_controlling_term(irc_t) > term_list_ptys(irc_t) > > init_read_utmp(irc_t) > init_dontaudit_lock_utmp(irc_t) > > seutil_use_newrole_fds(irc_t) > > allow irssi_t self:process { signal sigkill }; > allow irssi_t self:fifo_file rw_fifo_file_perms; > allow irssi_t self:netlink_route_socket create_netlink_socket_perms; > allow irssi_t self:tcp_socket create_stream_socket_perms; > > allow irssi_t irssi_etc_t:file read_file_perms; > > kernel_read_system_state(irssi_t) > > corecmd_read_bin_symlinks(irssi_t) > > corenet_udp_sendrecv_generic_node(irssi_t) > corenet_tcp_connect_ircd_port(irssi_t) > > corenet_tcp_connect_http_cache_port(irssi_t) > corenet_sendrecv_http_cache_client_packets(irssi_t) > > corenet_tcp_connect_gatekeeper_port(irssi_t) > corenet_sendrecv_gatekeeper_client_packets(irssi_t) > > dev_read_urand(irssi_t) > dev_read_rand(irssi_t) > > miscfiles_read_certs(irssi_t) > > tunable_policy(`irssi_use_full_network',` > corenet_tcp_bind_all_unreserved_ports(irssi_t) > corenet_tcp_connect_all_ports(irssi_t) > corenet_sendrecv_all_client_packets(irssi_t) > corenet_sendrecv_generic_server_packets(irssi_t) > ') > > optional_policy(` > automount_dontaudit_getattr_tmp_dirs(irssi_t) > ') > > optional_policy(` > nscd_socket_use(irssi_t > ') > > I think its just too much overhead. I'm not clear on what you're saying > Besides i do not agree with some of the security decisions made for > the irc_t domain. Please be more specific. > So the best compromise in my view is to just add a new irssi_t domain > to the existing irc module. > > That said, i think the patch that is in question here is not what i > currently have in my repository. In my repository i have combined all > policy that is common to both irc_t and irssi_t in a irc_domain > section (attribute irc_domain for both irc_t, irssi_t) > > Also if i am not mistaken, i have submitted a patch where irssi was > merged into the irc_t domain some time ago, That patch has not made it > in either for some reason. Its easy to get lost in the flood due to the number of patches I get from Dan. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] apps_irc.patch @ 2010-08-26 22:37 Daniel J Walsh 0 siblings, 0 replies; 5+ messages in thread From: Daniel J Walsh @ 2010-08-26 22:37 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch Fix ups or irc_admin and role interface policy for irssi -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkx27LAACgkQrlYvE4MpobNWMwCgs8s7PESm3SwUzdpvTEw4QHBf +CoAn14emw0hZEZIRf5JDqW+UrNKxMiO =nJ8D -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-08-26 22:37 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-06-02 20:05 [refpolicy] apps_irc.patch Daniel J Walsh 2010-06-21 13:09 ` Christopher J. PeBenito 2010-06-21 14:53 ` Dominick Grift 2010-06-22 12:51 ` Christopher J. PeBenito -- strict thread matches above, loose matches on Subject: below -- 2010-08-26 22:37 Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.