From: Daniel J Walsh <dwalsh@redhat.com>
To: russell@coker.com.au
Cc: jwcart2@epoch.ncsc.mil, SELinux <selinux@tycho.nsa.gov>
Subject: Re: Patch to make can_network stronger and remove nscd tunable.
Date: Tue, 02 Nov 2004 10:55:27 -0500 [thread overview]
Message-ID: <4187ADEF.5030803@redhat.com> (raw)
In-Reply-To: <200411030248.49998.russell@coker.com.au>
Russell Coker wrote:
>On Wed, 3 Nov 2004 01:30, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>
>>>dictd_t is not permitted to bind to any low ports. How does it need
>>>net_bind_service capability?
>>>
>>>
>>Maybe ypbind also.
>>
>>
>
>OK. If you change the ypbind macro then things should be fine in that regard.
>
>
>
>>>+allow hald_t { device_t }:{ chr_file } { create_file_perms };
>>>
>>>Three sets of redundant braces. Why does it need to create character
>>>device nodes anyway? We have udev to do that!
>>>
>>>
>>Hal creates a device when using cardmgr. pcmcia currently does not work
>>with udev.
>>
>>
>>
>>>+file_type_auto_trans(kudzu_t, tmp_t, kudzu_tmp_t, chr_file)
>>>
>>>Why is kudzu creating device nodes under /tmp? This sounds like a bug in
>>>kudzu to me.
>>>
>>>
>>I think cardmgr again.
>>
>>
>
>Are they executing cardmgr or cardctl? If so then there should be a
>domain_auto_trans() rule to get it running in cardmgr_t, doing otherwise may
>interfere with other cardmgr operations later.
>
>I'm surprised that I haven't seen this though as I've got a couple of laptops
>tracking rawhide. Did you boot with a PCMCIA/Cardbus card installed? Is
>there anything unusual about your setup? What model of laptop?
>
>
ibm thinkpad. I have booted with it in and without it, also have
started and stopped hal which causes the problem.
>
>
>>>Why isn't allow $1 self:{ tcp_socket udp_socket } connect; in
>>>can_network()?
>>>
>>>
>>Because we don't want all network daemons to be able to connect out.
>>
>>
>
>Then we should have two macros, one that allows outbound connections and one
>that doesn't. Increasing the line count in most domains that have network
>access does no good.
>
>
>
I wanted to treat connect the same way we treat name_bind. Basically
you need to explicitly state whether a network daemon is inbout,
outbound or both. If we want to add all the macros fine, but having
can_network default to allowing connect is too loose, think of spammers.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-11-02 15:55 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-18 12:43 cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler) Thomas Bleher
2004-10-18 13:49 ` Stephen Smalley
2004-10-18 15:03 ` James Morris
2004-10-18 19:11 ` Chris Wright
[not found] ` <4173F737.1070204@immunix.com>
2004-10-18 19:07 ` Stephen Smalley
2004-10-18 19:14 ` Chris Wright
[not found] ` <20041018214052.GB4336@immunix.com>
2004-10-19 12:14 ` Stephen Smalley
2004-10-19 16:21 ` Chris Wright
2004-10-19 18:17 ` Stephen Smalley
2004-10-19 18:27 ` Chris Wright
2004-10-19 18:36 ` James Morris
2004-10-19 18:39 ` Chris Wright
2004-10-19 18:52 ` Stephen Smalley
2004-10-19 19:02 ` Chris Wright
2004-10-19 19:14 ` Stephen Smalley
2004-10-19 19:20 ` Chris Wright
2004-10-19 20:09 ` Stephen Smalley
2004-10-19 20:17 ` Stephen Smalley
2004-10-19 20:42 ` James Morris
2004-10-19 21:09 ` Chris Wright
2004-10-20 12:23 ` Stephen Smalley
2004-10-20 12:44 ` Stephen Smalley
[not found] ` <20041020154909.GA1917@immunix.com>
2004-10-20 16:01 ` Stephen Smalley
2004-10-20 16:07 ` Chris Wright
2004-10-20 17:41 ` Chris Wright
2004-10-20 20:05 ` Stephen Smalley
2004-10-21 0:28 ` Chris Wright
2004-10-18 14:38 ` Luke Kenneth Casson Leighton
2004-10-18 21:58 ` cdrecord patch [was: Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)] Thomas Bleher
2004-10-29 19:31 ` James Carter
2004-11-01 16:18 ` Patch to make can_network stronger and remove nscd tunable Daniel J Walsh
2004-11-02 13:27 ` Russell Coker
2004-11-02 14:30 ` Daniel J Walsh
2004-11-02 14:39 ` Stephen Smalley
2004-11-02 14:44 ` Daniel J Walsh
2004-11-02 14:50 ` Daniel J Walsh
2004-11-02 15:38 ` Russell Coker
2004-11-02 15:48 ` Russell Coker
2004-11-02 15:55 ` Daniel J Walsh [this message]
2004-11-03 5:23 ` Russell Coker
2004-11-02 15:56 ` Daniel J Walsh
2004-11-03 0:07 ` Thomas Bleher
2004-11-03 6:16 ` Russell Coker
2004-11-03 16:17 ` Daniel J Walsh
2004-11-03 5:41 ` Russell Coker
2004-11-03 16:23 ` Daniel J Walsh
2004-11-03 18:45 ` Colin Walters
2004-11-03 22:13 ` Colin Walters
2004-11-03 22:49 ` Daniel J Walsh
2004-11-05 13:10 ` Thomas Bleher
2004-11-05 13:38 ` Stephen Smalley
2004-11-05 21:24 ` James Carter
2004-11-06 10:46 ` Thomas Bleher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4187ADEF.5030803@redhat.com \
--to=dwalsh@redhat.com \
--cc=jwcart2@epoch.ncsc.mil \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.