From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B28C6C31E50 for ; Sat, 15 Jun 2019 19:43:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 793DF2184D for ; Sat, 15 Jun 2019 19:43:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cHJ169bF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725944AbfFOTnw (ORCPT ); Sat, 15 Jun 2019 15:43:52 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:37705 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725270AbfFOTnw (ORCPT ); Sat, 15 Jun 2019 15:43:52 -0400 Received: by mail-ed1-f68.google.com with SMTP id w13so8966352eds.4 for ; Sat, 15 Jun 2019 12:43:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=zxzaV0hO/aYd2/kK90PyA3w4E0wkM2r5ltcfAC36SGI=; b=cHJ169bFfMdR1kAhk97fxIUwaSL4ysizm1E7b8pFGe5YjL3A2p5gJ/nsP07fXi4o/y V9Xk9D3c4UiR4RLruPMYsSsRRV2oOx4Nj6disupSHlLFWoYn+N7UPE92/pXn9izm+36F dHgpvW0ktjhiOXnIcyx137m970owdBpb1iwvRc1HbNCEdcIKSTpVF+is14gd153MMq2S TQF/29k9MNPWliAshuSf882IrV3eH0LMDPSSSJh3hTi0+iVIJDRsY9kzZGLHfwsAbDbM AAi3/oWleLzJKFF4j/1g3ZwVJBKkAOlfYpDnTPU0u1Vc68FqH9RIh5wQoaFQcJ8LrVJI rraQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=zxzaV0hO/aYd2/kK90PyA3w4E0wkM2r5ltcfAC36SGI=; b=PV4fTj7Raun+kAR9/JOX1/UiEMUppamGufj3Et4sW8qRbEjWDj5hDmNl4IvJw3Zobc TtQjVp8njrH6cRbx2y6yyBYAWSK9R/GT2V4yctL5tF+C/MB2tgWkLHJbwhv41hW4IHIO KAhhzaTxS+rcy1vngCnjOUN7p8sh2mmDhFs6Mifm/AgSHEFP5km4qZ+WDSvf8j1q1a5A dandQ8ujM1QidKAEeqexLStYIG5YsW2uywEYNBeg4SOSO9Zj6W25zyEzPmni90awLvPG 25IokiqmvoLBe4WnsmrvTDqZxvJZwjQt0O2aNfdYxMHvaZoSHXx2PPCJtx3pQAV9VYWM Tpdg== X-Gm-Message-State: APjAAAVCDv9k5tMdhsRmDuNaPzY+9XxpRd64cIJvnSXKQ97ZdJOTIkNH KuOIYlh93bQ+A/ihUOcEuMo= X-Google-Smtp-Source: APXvYqy5ZEQDcOVkHk7Ql2DZherSRSziGMxktUIZnuYorPKceZKBqYj8xSbiHHC5uN7Gah8xIUADxA== X-Received: by 2002:a17:906:7043:: with SMTP id r3mr10510765ejj.135.1560627831264; Sat, 15 Jun 2019 12:43:51 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id y2sm2251404edc.26.2019.06.15.12.43.49 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Sat, 15 Jun 2019 12:43:49 -0700 (PDT) Date: Sat, 15 Jun 2019 21:43:48 +0200 From: Dominick Grift To: Chris PeBenito Cc: Alexander Miroshnichenko , selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] add lldpd policy Message-ID: <20190615194348.GB2818@brutus.lan> Mail-Followup-To: Chris PeBenito , Alexander Miroshnichenko , selinux-refpolicy@vger.kernel.org References: <20190610142004.2719-1-alex@millerson.name> <749388e0-6da1-4b06-c62c-35302a5aba78@ieee.org> <20190615175859.GA2818@brutus.lan> <3d0d13b8-3090-558e-23b6-7edaeeff3f92@ieee.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="cmJC7u66zC7hs+87" Content-Disposition: inline In-Reply-To: <3d0d13b8-3090-558e-23b6-7edaeeff3f92@ieee.org> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --cmJC7u66zC7hs+87 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 15, 2019 at 03:24:03PM -0400, Chris PeBenito wrote: > On 6/15/19 1:58 PM, Dominick Grift wrote: > > On Sat, Jun 15, 2019 at 12:08:16PM -0400, Chris PeBenito wrote: > > > On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote: >=20 > > > > +allow lldpd_t self:process { fork signal_perms }; > > > > +allow lldpd_t self:fifo_file rw_fifo_file_perms; > > > > +allow lldpd_t self:unix_stream_socket { accept listen }; > > >=20 > > > These perms should probably be create_stream_socket_perms. > >=20 > > the other permissions are already provided with logging_send_syslog_msg= () so would be reduntant >=20 > This is true. However,the syslog socket is not the only socket in use. > Since it also listens on its own stream socket, the > create_stream_socket_perms more clearly shows the intent. The compiler will remove the duplicate rules, and yes the intent is more cl= ear. It just feels strange writing and reading duplicate policy. >=20 >=20 > --=20 > Chris PeBenito --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --cmJC7u66zC7hs+87 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl0FSm8ACgkQJXSOVTf5 R2mO+Av/f+4AsXpaH3QWN6JIorar8oHHPiBA50SFAoiy3YkREpVeUQr179geWo9W AN8S0x826+QufYRUgiwX6wBExQ9gg6YU6B2ZC0dJaFK5ad9ys1Enele/fYTovIuV HTiaKVULWtZrb4mGNqwo7YPM6dhrpHapIAysZ8I1NcbFBNS5YCS5mj3yP6zjEtzY PT5opCqj2MOQRKoDhFSqV2NXcV6Q8ipEmscDujvcOYs7yW+YOWFphW1OFp3X7Km4 cSIem1snpcIdT+6jCcUQAYLqK1XdpbP6AbPfox5APNiAE/A5sK+vAznCVJ0AP8pd 9kRA5pqeHqYc+5ke1u+nJRPN2Vdsq618qDdD9UDFJ/ATGemhH3qKEYGrtO6AzWbp eA26p+GhPEYlLFk3NELso1V0VcEZUS2v78sWZ6Y5VmX4QUrM2xncP94Xzosh5N55 par+KsrJZvTlXSVgFfqIK6PsydMZSwupU7O+tNZizF2e5fpFkbsmJ4ymtlfx/oyi 2ibe4ZJ4 =wSN1 -----END PGP SIGNATURE----- --cmJC7u66zC7hs+87--