From: Ivan Gyurdiev <ivg2@cornell.edu>
To: Joshua Brindle <jbrindle@tresys.com>
Cc: SELinux List <SELinux@tycho.nsa.gov>,
Stephen Smalley <sds@tycho.nsa.gov>,
dwalsh@redhat.com
Subject: Re: [SEMANAGE][SEPOL] Enable ports
Date: Tue, 03 Jan 2006 09:35:04 -0500 [thread overview]
Message-ID: <43BA8B98.5020502@cornell.edu> (raw)
In-Reply-To: <43BAA615.9000605@tresys.com>
>>
>> Actually.... not true. It's difficult to add at the key level, but
>> error checks and warnings and things like that will easily go into a
>> verify run on commit (or possibly in sepol). So, now I think I'll
>> focus on:
>>
> Must do it within semanage since sepol won't know where they came from
> and if they are allowed to shadow entries.
Hmm, yes that is true, I'll think about this some more...
It seems like a verify run of some kind on commit is best.
>> - also, did you know that if you originally put a file with duplicate
>> records in semanage, it would stay that way, and semanage wouldn't
>> complain (it does no duplicate checking when reading in the file -
>> not sure if that's a problem).
>>
> Any local should shadow/override something in the policy without a
> warning, that is the whole point to local settings, particularly with
> ports and interfaces. Any service port (1-1024) will be 'shadowed' by
> something in the policy but should be able to be overridden by
> ports.local.
Yes, I was referring to having multiple entries for the same thing in
the .local file. In addition to not checking for shadowing of ports,
semanage won't check for duplicates every time - it will only check for
duplicates when you add things with API. If the initial file was
corrupted somehow (i.e. contained two identical keys), it won't complain
about it. Not sure if that's a problem.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2006-01-03 14:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-24 2:08 [SEMANAGE][SEPOL] Enable ports Ivan Gyurdiev
2006-01-02 18:59 ` Joshua Brindle
2006-01-02 18:51 ` Ivan Gyurdiev
2006-01-03 7:23 ` Ivan Gyurdiev
2006-01-03 16:28 ` Joshua Brindle
2006-01-03 14:35 ` Ivan Gyurdiev [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43BA8B98.5020502@cornell.edu \
--to=ivg2@cornell.edu \
--cc=SELinux@tycho.nsa.gov \
--cc=dwalsh@redhat.com \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.