From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and unix stream sockets
Date: Wed, 14 Nov 2012 20:20:15 +0100 [thread overview]
Message-ID: <20121114192015.GA4196@siphos.be> (raw)
In-Reply-To: <1352916373.3654.3.camel@d30.localdomain>
On Wed, Nov 14, 2012 at 07:06:13PM +0100, Dominick Grift wrote:
> > +interface(`fail2ban_dontaudit_rw_stream_sockets',`
> > + gen_require(`
> > + type fail2ban_t;
> > + ')
> > +
> > + dontaudit $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
> > +')
>
> We should read create a rw_inherited_socket_perms permission set and use
> that instead in my honest opinion
Would a more generic "rw_inherited_perms" be sufficient (i.e. without
referring to the class)? As far as I know, inherited file descriptors or
sockets (or ...) are usually just { read write };
Wkr,
Sven Vermeulen
next prev parent reply other threads:[~2012-11-14 19:20 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-10 16:50 [refpolicy] [PATCH 0/5] Small batch of updates for contrib Sven Vermeulen
2012-11-10 16:50 ` [refpolicy] [PATCH 1/5] Introducing cron_manage_log_files interface Sven Vermeulen
2012-11-14 18:09 ` Dominick Grift
2012-11-10 16:50 ` [refpolicy] [PATCH 2/5] Portage fetch domain needs to access certificates Sven Vermeulen
2012-11-14 18:08 ` Dominick Grift
2012-11-10 16:50 ` [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and unix stream sockets Sven Vermeulen
2012-11-14 18:06 ` Dominick Grift
2012-11-14 19:20 ` Sven Vermeulen [this message]
2012-11-14 19:37 ` Dominick Grift
2012-11-14 20:18 ` Sven Vermeulen
2012-11-14 20:31 ` Dominick Grift
2012-11-10 16:50 ` [refpolicy] [PATCH 4/5] Dontaudit attempts by system_mail_t to use leaked fd or " Sven Vermeulen
2012-11-14 18:05 ` Dominick Grift
2012-11-10 16:50 ` [refpolicy] [PATCH 5/5] Support at service Sven Vermeulen
2012-11-14 18:03 ` Dominick Grift
2012-11-14 19:03 ` Sven Vermeulen
2012-11-14 19:18 ` Dominick Grift
2012-11-14 19:31 ` Sven Vermeulen
2012-11-14 19:39 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121114192015.GA4196@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.