automount policy

automount policy

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 317 bytes --]

The attached patch is needed for the latest rawhide automount.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: automount.diff --]
[-- Type: text/x-diff, Size: 389 bytes --]

--- /usr/src/se/policy/domains/program/unused/automount.te	2004-08-28 12:05:01.000000000 +1000
+++ domains/program/unused/automount.te	2004-09-01 12:36:44.000000000 +1000
@@ -66,4 +66,4 @@
 allow automount_t home_root_t:dir { getattr };
 allow automount_t mnt_t:dir { getattr search };
 
-allow initrc_t automount_etc_t:file getattr;
+allow initrc_t automount_etc_t:file { getattr read };

Re: automount policy

[Joshua Brindle]

Russell Coker wrote:

>The attached patch is needed for the latest rawhide automount.
>
>  
>
>------------------------------------------------------------------------
>
>--- /usr/src/se/policy/domains/program/unused/automount.te	2004-08-28 12:05:01.000000000 +1000
>+++ domains/program/unused/automount.te	2004-09-01 12:36:44.000000000 +1000
>@@ -66,4 +66,4 @@
> allow automount_t home_root_t:dir { getattr };
> allow automount_t mnt_t:dir { getattr search };
> 
>-allow initrc_t automount_etc_t:file getattr;
>+allow initrc_t automount_etc_t:file { getattr read };
>  
>
Why add this allow for everyone if it's just for rawhide?


Joshua Brindle
Hardened Gentoo

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: automount policy

[Russell Coker]

On Wed, 1 Sep 2004 13:34, Joshua Brindle <method@gentoo.org> wrote:
> >-allow initrc_t automount_etc_t:file getattr;
> >+allow initrc_t automount_etc_t:file { getattr read };
>
> Why add this allow for everyone if it's just for rawhide?

It appears to also be necessary for Debian.  If Gentoo is different then we 
could have ifdef(`distro_gentoo', `', ` before it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: automount policy

[Joshua Brindle]

Russell Coker wrote:

>On Wed, 1 Sep 2004 13:34, Joshua Brindle <method@gentoo.org> wrote:
>  
>
>>>-allow initrc_t automount_etc_t:file getattr;
>>>+allow initrc_t automount_etc_t:file { getattr read };
>>>      
>>>
>>Why add this allow for everyone if it's just for rawhide?
>>    
>>
>
>It appears to also be necessary for Debian.  If Gentoo is different then we 
>could have ifdef(`distro_gentoo', `', ` before it.
>
>  
>
alright, fair enough.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: automount policy

[Luke Kenneth Casson Leighton]

On Tue, Aug 31, 2004 at 11:34:21PM -0400, Joshua Brindle wrote:
> Russell Coker wrote:
> 
> >The attached patch is needed for the latest rawhide automount.
> >
> > 
> >
> >------------------------------------------------------------------------
> >
> >--- /usr/src/se/policy/domains/program/unused/automount.te	2004-08-28 
> >12:05:01.000000000 +1000
> >+++ domains/program/unused/automount.te	2004-09-01 
> >12:36:44.000000000 +1000
> >@@ -66,4 +66,4 @@
> >allow automount_t home_root_t:dir { getattr };
> >allow automount_t mnt_t:dir { getattr search };
> >
> >-allow initrc_t automount_etc_t:file getattr;
> >+allow initrc_t automount_etc_t:file { getattr read };
> > 
> >
> Why add this allow for everyone if it's just for rawhide?
 
 hey, i recognise that patch.  sort-of.

 it's not just rawhide.

 i recently added automount to my debian system, and decided
 it would be best (for me) to add a type autmount_etc_t for
 /etc/auto.[usb,misc,net].

 it looks like rawhide's picked it up.

 i only sent the patch adding automount_etc_t on last week!

 btw i seem to have missed /etc/auto.master from my patch
 [making it automount_etc_t], which might, if added, mean that
 allow automount_t etc_t:file { getattr read } can be _removed_.
 worth a try.

 
 also btw guys i thoroughly recommend the approach of doing
 modifications to usb-mount which put stuff into /etc/auto.usb
 instead of having this utterly ridiculous requirement of
 "warning warning please run unmount before removing the usb
  disk you might lose data otherwise" _no_ sane non-technical
  user is ever going to bother with "unmount" it makes them
  think of wild beasts which is going to put them off.

 modified usb-mount at http://hands.com/~lkcl/usb-mount in
 case you're interested [it's a bit hacked up so i could
 use some help with the use of sed and awk]

 l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.