Range transitions in modules+refpolicy

All of lore.kernel.org
 help / color / mirror / Atom feed

* Range transitions in modules+refpolicy
@ 2006-10-03 16:40 Christopher J. PeBenito
  2006-10-03 20:24 ` Linda Knippers
  0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2006-10-03 16:40 UTC (permalink / raw)
  To: SELinux Mail List; +Cc: Daniel J Walsh

Now that range transitions have been integrated into refpolicy
appropriately, I came up with the following changes,

MLS:

-range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+range_transition NetworkManager_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition anaconda_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition apmd_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition dpkg_script_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition dpkg_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition firstboot_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition hald_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition hotplug_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition init_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition initrc_t lvm_exec_t s0 - s15:c0.c255;
+range_transition logrotate_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition rpm_script_t initrc_exec_t:process s0 - s15:c0.c255;
+range_transition rpm_t initrc_exec_t:process s0 - s15:c0.c255;

MCS:

+range_transition NetworkManager_t initrc_exec_t:process s0;
+range_transition anaconda_t initrc_exec_t:process s0;
+range_transition apmd_t initrc_exec_t:process s0;
+range_transition dpkg_script_t initrc_exec_t:process s0;
+range_transition dpkg_t initrc_exec_t:process s0;
+range_transition firstboot_t initrc_exec_t:process s0;
+range_transition hald_t initrc_exec_t:process s0;
+range_transition hotplug_t initrc_exec_t:process s0;
+range_transition init_t initrc_exec_t:process s0;
+range_transition logrotate_t initrc_exec_t:process s0;
+range_transition rpm_script_t initrc_exec_t:process s0;
+range_transition rpm_t initrc_exec_t:process s0;

In both cases, the additions are because the range transition was added
to the interface for transitioning to initrc_t to handle the prexisting
range transitions on initrc_exec_t.  I looked into the removal in the
MLS policy, and there isn't a way for kernel_t to transition to lvm_t,
so that removal should be ok.

Comments on this change (in particular the MLS changes)?  Are they
reasonable, or do we need a separate interface for non range transition
to initrc_t?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Range transitions in modules+refpolicy
  2006-10-03 16:40 Range transitions in modules+refpolicy Christopher J. PeBenito
@ 2006-10-03 20:24 ` Linda Knippers
  2006-10-03 20:38   ` Christopher J. PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Linda Knippers @ 2006-10-03 20:24 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: SELinux Mail List, Daniel J Walsh

This is a nit but don't we have 1024 categories now, so s15:c0.c1023?

-- ljk

Christopher J. PeBenito wrote:
> Now that range transitions have been integrated into refpolicy
> appropriately, I came up with the following changes,
> 
> MLS:
> 
> -range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
> +range_transition NetworkManager_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition anaconda_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition apmd_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition dpkg_script_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition dpkg_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition firstboot_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition hald_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition hotplug_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition init_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition initrc_t lvm_exec_t s0 - s15:c0.c255;
> +range_transition logrotate_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition rpm_script_t initrc_exec_t:process s0 - s15:c0.c255;
> +range_transition rpm_t initrc_exec_t:process s0 - s15:c0.c255;
> 
> MCS:
> 
> +range_transition NetworkManager_t initrc_exec_t:process s0;
> +range_transition anaconda_t initrc_exec_t:process s0;
> +range_transition apmd_t initrc_exec_t:process s0;
> +range_transition dpkg_script_t initrc_exec_t:process s0;
> +range_transition dpkg_t initrc_exec_t:process s0;
> +range_transition firstboot_t initrc_exec_t:process s0;
> +range_transition hald_t initrc_exec_t:process s0;
> +range_transition hotplug_t initrc_exec_t:process s0;
> +range_transition init_t initrc_exec_t:process s0;
> +range_transition logrotate_t initrc_exec_t:process s0;
> +range_transition rpm_script_t initrc_exec_t:process s0;
> +range_transition rpm_t initrc_exec_t:process s0;
> 
> In both cases, the additions are because the range transition was added
> to the interface for transitioning to initrc_t to handle the prexisting
> range transitions on initrc_exec_t.  I looked into the removal in the
> MLS policy, and there isn't a way for kernel_t to transition to lvm_t,
> so that removal should be ok.
> 
> Comments on this change (in particular the MLS changes)?  Are they
> reasonable, or do we need a separate interface for non range transition
> to initrc_t?
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Range transitions in modules+refpolicy
  2006-10-03 20:24 ` Linda Knippers
@ 2006-10-03 20:38   ` Christopher J. PeBenito
  0 siblings, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2006-10-03 20:38 UTC (permalink / raw)
  To: Linda Knippers; +Cc: SELinux Mail List, Daniel J Walsh

On Tue, 2006-10-03 at 16:24 -0400, Linda Knippers wrote:
> This is a nit but don't we have 1024 categories now, so s15:c0.c1023?

It is for diff purposes.  The branch with the MLS changes also makes
number of sensitivities and categories a build option.

> Christopher J. PeBenito wrote:
> > Now that range transitions have been integrated into refpolicy
> > appropriately, I came up with the following changes,
> > 
> > MLS:
> > 
> > -range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
> > +range_transition NetworkManager_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition anaconda_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition apmd_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition dpkg_script_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition dpkg_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition firstboot_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition hald_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition hotplug_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition init_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition initrc_t lvm_exec_t s0 - s15:c0.c255;
> > +range_transition logrotate_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition rpm_script_t initrc_exec_t:process s0 - s15:c0.c255;
> > +range_transition rpm_t initrc_exec_t:process s0 - s15:c0.c255;
> > 
> > MCS:
> > 
> > +range_transition NetworkManager_t initrc_exec_t:process s0;
> > +range_transition anaconda_t initrc_exec_t:process s0;
> > +range_transition apmd_t initrc_exec_t:process s0;
> > +range_transition dpkg_script_t initrc_exec_t:process s0;
> > +range_transition dpkg_t initrc_exec_t:process s0;
> > +range_transition firstboot_t initrc_exec_t:process s0;
> > +range_transition hald_t initrc_exec_t:process s0;
> > +range_transition hotplug_t initrc_exec_t:process s0;
> > +range_transition init_t initrc_exec_t:process s0;
> > +range_transition logrotate_t initrc_exec_t:process s0;
> > +range_transition rpm_script_t initrc_exec_t:process s0;
> > +range_transition rpm_t initrc_exec_t:process s0;
> > 
> > In both cases, the additions are because the range transition was added
> > to the interface for transitioning to initrc_t to handle the prexisting
> > range transitions on initrc_exec_t.  I looked into the removal in the
> > MLS policy, and there isn't a way for kernel_t to transition to lvm_t,
> > so that removal should be ok.
> > 
> > Comments on this change (in particular the MLS changes)?  Are they
> > reasonable, or do we need a separate interface for non range transition
> > to initrc_t?
> > 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-10-03 20:38 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-03 16:40 Range transitions in modules+refpolicy Christopher J. PeBenito
2006-10-03 20:24 ` Linda Knippers
2006-10-03 20:38   ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.