From: "J. Bruce Fields" <bfields@fieldses.org>
To: Boaz Harrosh <boaz@plexistor.com>
Cc: Jeff Layton <jlayton@poochiereds.net>,
Greg KH <gregkh@linuxfoundation.org>,
trond.myklebust@primarydata.com, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org
Subject: Re: [PATCH] sunrpc: make debugfs file creation failure non-fatal
Date: Tue, 31 Mar 2015 11:58:24 -0400 [thread overview]
Message-ID: <20150331155824.GL6901@fieldses.org> (raw)
In-Reply-To: <551AC1B9.60205@plexistor.com>
On Tue, Mar 31, 2015 at 06:48:09PM +0300, Boaz Harrosh wrote:
> On 03/31/2015 06:11 PM, Jeff Layton wrote:
> > On Tue, 31 Mar 2015 16:26:41 +0200
> > Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> <>
> > We certainly can update the selinux policy to allow gssproxy to do
> > this, but:
> >
>
> Or can we update the selinux policy to allow any user access to
> debugfs, since as you said it is always Kernel created ?
As I said, it's actually directory search permissions that selinux is
denying.
Denying gss-proxy permissions to read debugfs actually sounds reasonable
to me--most daemons probably don't need to read debugfs, so why take the
chance there might be some inadvertent information exposure in debugfs
that could be useful to an attacker?
--b.
next prev parent reply other threads:[~2015-03-31 15:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-30 21:58 [PATCH] sunrpc: make debugfs file creation failure non-fatal Jeff Layton
2015-03-30 23:47 ` J. Bruce Fields
2015-03-30 23:47 ` J. Bruce Fields
2015-03-31 14:09 ` J. Bruce Fields
2015-03-31 14:26 ` Greg KH
2015-03-31 15:11 ` Jeff Layton
2015-03-31 15:48 ` Boaz Harrosh
2015-03-31 15:58 ` J. Bruce Fields [this message]
2015-03-31 15:30 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150331155824.GL6901@fieldses.org \
--to=bfields@fieldses.org \
--cc=boaz@plexistor.com \
--cc=gregkh@linuxfoundation.org \
--cc=jlayton@poochiereds.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=trond.myklebust@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.