From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and unix stream sockets
Date: Wed, 14 Nov 2012 21:18:58 +0100 [thread overview]
Message-ID: <20121114201858.GA10250@siphos.be> (raw)
In-Reply-To: <1352921851.3654.34.camel@d30.localdomain>
On Wed, Nov 14, 2012 at 08:37:31PM +0100, Dominick Grift wrote:
> > Would a more generic "rw_inherited_perms" be sufficient (i.e. without
> > referring to the class)? As far as I know, inherited file descriptors or
> > sockets (or ...) are usually just { read write };
>
> I do not agree. Many kinds of objects can be inherited (think files,
> blk_files etc), And its often not just { read write };
Ok, my bad, didn't know that.
> I personally am interesting in just a inherited equivalent of any rw
> permission set that is the same except that it lacks the open permission
> (much like fedora does it)
Perhaps we should just use things like:
dontaudit $1 bar_t:file { rw_file_perms ~open }
if we want to have the same equivalent without open?
Wkr,
Sven Vermeulen
next prev parent reply other threads:[~2012-11-14 20:18 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-10 16:50 [refpolicy] [PATCH 0/5] Small batch of updates for contrib Sven Vermeulen
2012-11-10 16:50 ` [refpolicy] [PATCH 1/5] Introducing cron_manage_log_files interface Sven Vermeulen
2012-11-14 18:09 ` Dominick Grift
2012-11-10 16:50 ` [refpolicy] [PATCH 2/5] Portage fetch domain needs to access certificates Sven Vermeulen
2012-11-14 18:08 ` Dominick Grift
2012-11-10 16:50 ` [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and unix stream sockets Sven Vermeulen
2012-11-14 18:06 ` Dominick Grift
2012-11-14 19:20 ` Sven Vermeulen
2012-11-14 19:37 ` Dominick Grift
2012-11-14 20:18 ` Sven Vermeulen [this message]
2012-11-14 20:31 ` Dominick Grift
2012-11-10 16:50 ` [refpolicy] [PATCH 4/5] Dontaudit attempts by system_mail_t to use leaked fd or " Sven Vermeulen
2012-11-14 18:05 ` Dominick Grift
2012-11-10 16:50 ` [refpolicy] [PATCH 5/5] Support at service Sven Vermeulen
2012-11-14 18:03 ` Dominick Grift
2012-11-14 19:03 ` Sven Vermeulen
2012-11-14 19:18 ` Dominick Grift
2012-11-14 19:31 ` Sven Vermeulen
2012-11-14 19:39 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121114201858.GA10250@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.