Christopher J. PeBenito wrote: > On Thu, 2006-02-09 at 13:39 -0500, Daniel J Walsh wrote: > >> Update build.conf to match what I believe should be the defaults. >> > > I don't see a compelling need to make MCS default for the upstream > policy. As for the MONOLITHIC=n, I'd prefer to wait until FC5 comes out > so that there is a final release with loadable modules. > I was looking to make these changes, back when I thought this was the Makefile for users to build reference policy. I have made some changes to Makefile.devel instead. > >> Add some of Russell's mcs changes >> > > I dropped the mcs file change. We can't have hard-coded types. > Added a typealias mlskillall. Does this look better? > >> hal continuously wants more privs... >> > > Do we really want to make the insmod transition unconditional? > Removed unconditional > >> mta/sendmail wants to read postfix config and spools. >> > > I don't understand why this change is needed for mta_send_mail(). It > makes sendmail_exec_t an entrypoint for the domain that wants to send > mail: > > Ok, where should I move it. > @@ -434,6 +434,7 @@ > >> >> allow $1 sendmail_exec_t:lnk_file r_file_perms; >> domain_auto_trans($1, sendmail_exec_t, system_mail_t) >> + domain_entry_file($1,sendmail_exec_t) >> >> allow $1 system_mail_t:fd use; >> allow system_mail_t $1:fd use; >> > >> auditctl needs to output to terminals. >> > > I merged this, but I'm curious why this is needed. > Getting denials when running auditctl in targeted and MLS policy. Latest diff bluetooth wants to rw new usb_device_t. mlskillall mentioned above newalias wants dav_override NetworkManager needs to sendto for wpa_subplicant More fixes for postfix. spamd needs ldap prelink needs to unlink lib_t lnk_files when managing them. Added semodule policy. This still needs work. semodule now wants to create lock files in /etc/selinux/TYPE/modules sub directory. I would like to label this policy_config_t, problem is that all tools (setfiles, restorecon ...) need write access in order to create the lock file. This is a serious problem. I think we also need to label /usr/share/selinux/TYPE/*.pp files as policy_config_t. Need to take this conversation out of this thread though. We have serious problems with execstack. since it is needed for libflash to work correctly. We can think about labeling web browsers with unconfined_ with execstack privs or for now I am just turning on avc's for denials. So users might have an idea of what to look for when the flash windows don't work. (Looking at automobile web sites reveals this problem :^)) More privs for secadm Added ability for Rules.modular to build with user_extras. Probably need something similar for Rules.monolithic.