From: Daniel J Walsh <dwalsh@redhat.com>
To: russell@coker.com.au
Cc: SELinux <SELinux@tycho.nsa.gov>
Subject: Re: [Fwd: Latest Diff]
Date: Fri, 06 May 2005 08:43:16 -0400 [thread overview]
Message-ID: <427B6664.6070803@redhat.com> (raw)
In-Reply-To: <200505061533.10266.russell@coker.com.au>
Russell Coker wrote:
>On Friday 06 May 2005 05:35, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>
>>+allow cupsd_t crond_t:fd use;
>>
>>
>
>Something is wrong here. crond_t has attribute privfd, and from
>daemon_base_domain() cupsd_t gets the following:
>allow cupsd_t privfd:fd use;
>
>-daemon_domain(hald, `, fs_domain, nscd_client_domain')
>+daemon_domain(hald, `, fs_domain, nscd_client_domain, privmem')
>
>-allow hald_t self:capability { net_admin sys_admin dac_override
>dac_read_search mknod };
>+allow hald_t self:capability { net_admin sys_admin dac_override
>dac_read_search mknod sys_rawio };
>
>+allow hald_t memory_device_t:chr_file r_file_perms;
>
>The dmidecode_t domain removes the need for those changes.
>
>
>
Ok Removed
>+can_unix_connect(i18n_input_t, initrc_t)
>
>What's happening here? Looks like a daemon running in the wrong domain.
>
>+allow kudzu_t proc_t:lnk_file getattr;
>
>We already have the following:
>allow kudzu_t { self proc_t }:lnk_file read;
>
>We should probably change it to:
>allow kudzu_t { self proc_t }:lnk_file { getattr read };
>
>
>
I don't see this.
>-dontaudit lvm_t var_run_t:dir getattr;
>+var_run_domain(lvm)
>
>What is this for? CLVM?
>
>
>
I don't recall but it was trying to write a pid file.
>-allow udev_t tmpfs_t:dir rw_dir_perms;
>-allow udev_t tmpfs_t:sock_file create_file_perms;
>+allow udev_t tmpfs_t:dir create_dir_perms;
>+allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
>
>In what situations is this required? When udev is working correctly it will
>never try to create files or directories of type tmpfs_t.
>
>
>
This is happening before the /dev is relabeled.
>+/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
>
>Why move this from rhgb.fc to distros.fc? Surely it's more of a RHGB specific
>thing than a distribution specific thing. Not that there are any other
>distributions using RHGB at the moment.
>
>
>
Because we are not support rhgb in targeted. But need to be able to
mount on it.
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-05-06 12:43 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-05 19:35 [Fwd: Latest Diff] Daniel J Walsh
2005-05-05 21:44 ` Ivan Gyurdiev
2005-05-06 1:34 ` Russell Coker
2005-05-06 1:58 ` Ivan Gyurdiev
2005-05-06 15:39 ` Ivan Gyurdiev
2005-05-07 13:50 ` Russell Coker
2005-05-07 17:04 ` Ivan Gyurdiev
2005-05-07 19:50 ` Ivan Gyurdiev
2005-05-09 14:42 ` Daniel J Walsh
2005-05-09 18:12 ` Ivan Gyurdiev
2005-05-09 18:17 ` Daniel J Walsh
2005-05-09 18:24 ` Ivan Gyurdiev
2005-05-09 18:27 ` Daniel J Walsh
2005-05-09 18:37 ` Ivan Gyurdiev
2005-05-11 14:59 ` Stephen Smalley
2005-05-07 23:01 ` Russell Coker
2005-05-06 12:33 ` Daniel J Walsh
2005-05-06 5:33 ` Russell Coker
2005-05-06 12:43 ` Daniel J Walsh [this message]
2005-05-06 13:22 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=427B6664.6070803@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
--cc=russell@coker.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.