Christopher J. PeBenito wrote: > On Thu, 2006-08-31 at 15:16 -0400, Daniel J Walsh wrote: > >> Amanda changes, not sure why you didn't take them last time >> > > Sorry about that, forgot to send an email about that last patch. As for > this bit, I'm hesitant to remove the contexts. This policy seems to be > overengineered, and since we intend to fix it, the unused types should > be removed too. Otherwise we start getting dead policy, and more mess > in general. > > Removed Types >> Fixing some labels to march what actually ends up on disk see /boot/grub >> > > These say /boot/grup; I assume this is a typo. Also they should be in > the files module. > > Fixed and placed in correct fc files. >> Change firstboot to create etc_runtime_t instead of firstboot_rw_t. >> > > > The type should be removed too, see above comments on > amanda. /usr/share/firstboot is also labeled firstboot_rw_t, so that > should be resolved too. > > Removed Types >> Please change /opt java line to match what IBM ships >> > > I'm concerned this is too broad. Can we get additional, more specific > regexes? > > I went looking for this, and I believe it was placed in a IBM directory, but can not find it right now. Also not sure where BEA places there java. >> In corecommands prelink also creates lnk_file, when it recreates >> executables. >> > > > I assume this refers to the hunk in corecommands.if? I don't agree with > this change. Only the executables should be specially labeled, not the > symlinks. > > Changed to bin_t and sbin_t only. >> gfs supports xattr >> > > IIRC, last time the question was if this was widely avaiable? > > Could swear I got email telling me to do this, but can not find now so removing. >> Lots of domains need term_dontaudit_use_unallocated_ttys for startup >> from a tty. >> > > Can you clarify this? I don't know what you mean by "startup from a > tty". > > Log in to console terminals ctrl-alt-f1 restart daemons, generated lots of avc messages when daemons try to talk to tty_device_t. you will see this same pattern on almost all daemons. >> Apache uses ldap >> > > This reverts my change; this access is handled by auth_use_nsswitch(). > > Removed. >> bluetooth_helper started for startx needs some more privs >> > > This corenet addition seems out of place, since it doesn't have complete > networking perms. Fixed the xserver_stream_connect_xdm() interface > instead of the xdm addition. > > Changed to use your stuff. >> crontab changes for setting MLS values. >> > > The userdomain sending a sigchld to crontab doesn't make sense to me. > Also $1_tmp_t can't be referenced directly by this template, it needs to > use the userdomain interfaces. Besides that, I think it would probably > be best for crontab to have its own $1_crontab_tmp_t type anyway, unless > there is a compelling reason for it to write the user's tmp files. > > Changed to $1_crontab_tmp_t, removed the other stuff and will retest on mls. > Why does system_crond_t need to create crond pid files? > > Saw an AVC but I am removing this code for now. >> dovecot wants to read some files labeled var_t. >> > > Moved rule down. > > >> ldap uses a socket to communicate >> > > Generic socket doesn't make sense here. > > Should be a sock_file >> NetworkManager wants to ptrace itself >> > > I can't reproduce this on my notebook. Can you look more into this? It > seems highly irregular. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204161 >> stunnel reads route table >> and connects to smtp >> > > Is this an explicit requirement, or should it really be tcp connect to > all ports? > Probably. > >> X No longer needs execstack, execheap, execmem >> > > I am setting this to !distro_redhat, as this is not necessarily the case > for other distros (incl RHEL4). > > Fine >> Changes to semanage >> > > Can't use these templates here. The netlink addition is handled by > auth_use_nsswitch(). > > Ok I removed some other netlink_route for same reason >> /usr/lib/ia32el/ia32x_loader needs to run unconfined_execmem_t if we >> have any hope of turning off allow_execmem >> > > Out of curiosity, what is this program? > See eric's email > The ntp change shouldn't be needed, since net_bind_service is allowed by > corenet_udp_bind_ntp_port(ntpd_t). > > Removed > The procmail change shouldn't be needed since udp bind to inaddr_any is > allowed by corenet_udp_bind_all_nodes(procmail_t). > > Removed > The rpc change shouldn't be needed since all domains have self:file > { getattr read }; > > Removed > The unconfined change should not be needed since it can do * to all > domains keys (see domain.te). > Removed > Holding off on the other new policies since you said they're still WiP. > > Why are the following needed? > > fsadm exec a shell > > I am not sure, I removed until I find it. > initrc write locale_t > > lvm_t net_admin (!) > Removed, might be some network file system? iscsi maybe, just guessing. > depmod using terms other than the ones it gets from it's run interface > > Removed. > udev transition to dhcpc > > > It does when networks are plugged in, I believe. > The remainder is merged. > >