Re: [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

[Joe MacDonald <joe@deserted.net>]

[-- Attachment #1: Type: text/plain, Size: 5189 bytes --]

Hey guys,

Sorry about the delayed response on these, I merged them today with a
minor update to the targeted description based on the explanation below.

Thanks,
-J.

[Re: [yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates] On 14.04.04 (Fri 15:57) Pascal Ouyang wrote:

> 于 14-4-4 下午2:57, Pascal Ouyang 写道:
> >于 14-4-4 上午3:20, Joe MacDonald 写道:
> >>Hey Wenzong,
> >>
> >>I merged two of these four.
> >>
> >>[[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and
> >>some updates] On 14.03.24 (Mon 21:07) wenzong.fan@windriver.com wrote:
> >>
> >>>From: Wenzong Fan <wenzong.fan@windriver.com>
> >>>
> >>>Changes:
> >>>* backport tmpfs_t patch from upstream;
> >>>* add rules for /var/log symlink on poky;
> >>
> >>These both went in.  These:
> >>
> >>>* add targeted policy type
> >>>* add minimum targeted policy
> >>
> >>I'm less clear on.  They both look like significant changes to
> >>refpolicy-* behaviour, which is fine, but in that case I think it'd be
> >>better to give them a different name.  Or one that differentiates them
> >>significantly.  For example the "minimum" policy has users unconfined
> >>and applications confined?  Or neither?  I'm not sure what the value is
> >>of these.
> >>
> >>If they really are just specialized versions of the standard reference
> >>policy, they should at least be ported to use the refpolicy_common
> >>infrastructure Phil set up a while back.
> >
> >Hi Joe&Wenzong,
> >
> >According to the origin design, both policy types are targeted policies.
> >
> >For targeted policies,
> >* Users will login into shells on unconfined domain.
> >* For applications with no policy module or with policy module disabled,
> >they will also run on unconfined domain.
> >* For applications "targeted", they would have policy module enabled,
> >with rules to do domtrans from unconfined/init* domain to their own domain.
> >
> >The result will be:
> >- standard/mls :
> >   un-ruled applications(usually bin_t) will run on unconfined domain,
> >so operations will *not* be blocked.
> 
> s#standard/mls#targeted/minimum#
> 
> >- targeted/minimum
> >   un-ruled applications will run on user's current domain, such as
> >user_t,sysadm_t, so most privileged operations will be blocked.
> >
> 
> s#targeted/minimum#standard/mls#
> 
> :-;
> 
> - Pascal
> 
> >
> >Difference between refpolicy-minium&refpolicy-targeted
> >* refpolicy-minium = targeted policy with only core policies
> >   It should just be used for admins to defined their own policy.
> >   For example, a httpd server could just use refpolicy-minium + httpd
> >module. Actually, I have thought to use refpolicy-targeted-minium as its
> >name, but not in the end.
> >* refpolicy-targeted = targeted policy with all 300+ modules
> >
> >Thanks. :)
> >
> >- Pascal
> >
> >>
> >>Thanks,
> >>-J.
> >>
> >>>
> >>>The following changes since commit
> >>>a6079a43719e79e12a57e609923a0cccdba06916:
> >>>
> >>>   refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
> >>>
> >>>are available in the git repository at:
> >>>
> >>>   git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
> >>>
> >>>http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
> >>>
> >>>
> >>>Wenzong Fan (4):
> >>>   refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
> >>>     systems
> >>>   refpolicy: add rules for /var/log symlink on poky
> >>>   refpolicy: add targeted policy type
> >>>   refpolicy: add minimum targeted policy
> >>>
> >>>  ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 +++
> >>>  ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
> >>>  ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
> >>>  .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 +++++
> >>>  ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
> >>>  .../refpolicy-unconfined_u-default-user.patch      |  198
> >>>++++++++++++++++++++
> >>>  .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
> >>>  .../refpolicy/refpolicy_2.20130424.inc             |    3 +
> >>>  8 files changed, 414 insertions(+)
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
> >>>
> >
> >
> 
> 
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]