From: Daniel J Walsh <dwalsh@redhat.com>
To: ivg2@cornell.edu
Cc: SELinux <SELinux@tycho.nsa.gov>
Subject: Re: [Fwd: Latest Diff]
Date: Fri, 06 May 2005 08:33:56 -0400 [thread overview]
Message-ID: <427B6434.30201@redhat.com> (raw)
In-Reply-To: <1115329465.13097.23.camel@localhost.localdomain>
Ivan Gyurdiev wrote:
>>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.14/domains/program/restorecon.te
>>>--- nsapolicy/domains/program/restorecon.te 2005-04-27 10:28:49.000000000 -0400
>>>+++ policy-1.23.14/domains/program/restorecon.te 2005-05-05 15:11:06.000000000 -0400
>>>@@ -20,7 +20,7 @@
>>> role secadm_r types restorecon_t;
>>>
>>> allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
>>>-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
>>>+allow restorecon_t { tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
>>>
>>>
>
>Perhaps (?):
>
>allow restorecon_t tty_device_t:chr_file { read write ioctl};
>access_terminal(restorecon_t, $2)
>access_terminal(restorecon_t, initrc)
>
>
>
>>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.14/domains/program/unused/auditd.te
>>>--- nsapolicy/domains/program/unused/auditd.te 2005-05-02 14:06:54.000000000 -0400
>>>+++ policy-1.23.14/domains/program/unused/auditd.te 2005-05-02 14:57:26.000000000 -0400
>>>@@ -56,3 +56,4 @@
>>> allow auditctl_t sysctl_kernel_t:file read;
>>> allow auditd_t self:process setsched;
>>> dontaudit auditctl_t init_t:fd use;
>>>+allow auditctl_t initrc_devpts_t:chr_file { read write };
>>>
>>>
>
>Perhaps (?):
>
>access_terminal(auditctl_t, initrc)
>
>
>
>>> allow consoletype_t crond_t:fifo_file { read getattr ioctl };
>>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.14/domains/program/unused/cups.te
>>>--- nsapolicy/domains/program/unused/cups.te 2005-05-02 14:06:54.000000000 -0400
>>>+++ policy-1.23.14/domains/program/unused/cups.te 2005-05-02 14:57:26.000000000 -0400
>>>@@ -22,6 +22,7 @@
>>> logdir_domain(cupsd)
>>>
>>> tmp_domain(cupsd)
>>>+file_type_auto_trans(cupsd_t, tmp_t, cupsd_tmp_t, fifo_file)
>>>
>>>
>
>tmp_domain(cupsd, `', { file dir fifo_file })
>
>
>
ok
>>>@@ -47,6 +47,7 @@
>>> allow hald_t printer_device_t:chr_file rw_file_perms;
>>> allow hald_t urandom_device_t:chr_file read;
>>> allow hald_t mouse_device_t:chr_file r_file_perms;
>>>+allow hald_t memory_device_t:chr_file r_file_perms;
>>>
>>>
>
>?? That no longer triggers an assertion violation?
>
>
privmem attribute allows this.
>I specifically had to allow it in the assertion list when
>it was necessary for dmidecode. Why is it still necessary?
>
>
>
>>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.14/macros/program/games_domain.te
>>>--- nsapolicy/macros/program/games_domain.te 2005-04-27 10:28:54.000000000 -0400
>>>+++ policy-1.23.14/macros/program/games_domain.te 2005-05-05 15:10:05.000000000 -0400
>>>@@ -17,11 +17,14 @@
>>> if (! disable_games_trans) {
>>> domain_auto_trans($1_t, games_exec_t, $1_games_t)
>>> }
>>>+can_exec($1_games_t, games_exec_t)
>>>
>>>
>
>It needs to re-execute itself??
>
>===============
>
>Question:
>
>Is it better to create orbit-$USER in a startup script, or
>to include selinux support in libORBit2 in order to
>properly set the context of /tmp/orbit-$USER to ROLE_orbit_tmp_t
>when it's created?
>
>
>
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-05-06 12:33 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-05 19:35 [Fwd: Latest Diff] Daniel J Walsh
2005-05-05 21:44 ` Ivan Gyurdiev
2005-05-06 1:34 ` Russell Coker
2005-05-06 1:58 ` Ivan Gyurdiev
2005-05-06 15:39 ` Ivan Gyurdiev
2005-05-07 13:50 ` Russell Coker
2005-05-07 17:04 ` Ivan Gyurdiev
2005-05-07 19:50 ` Ivan Gyurdiev
2005-05-09 14:42 ` Daniel J Walsh
2005-05-09 18:12 ` Ivan Gyurdiev
2005-05-09 18:17 ` Daniel J Walsh
2005-05-09 18:24 ` Ivan Gyurdiev
2005-05-09 18:27 ` Daniel J Walsh
2005-05-09 18:37 ` Ivan Gyurdiev
2005-05-11 14:59 ` Stephen Smalley
2005-05-07 23:01 ` Russell Coker
2005-05-06 12:33 ` Daniel J Walsh [this message]
2005-05-06 5:33 ` Russell Coker
2005-05-06 12:43 ` Daniel J Walsh
2005-05-06 13:22 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=427B6434.30201@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
--cc=ivg2@cornell.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.