* Re: ricci changes in policy
[not found] <200702261738.l1QHcBUu030687@localhost.localdomain>
@ 2007-03-06 14:23 ` Christopher J. PeBenito
2007-03-06 14:40 ` Daniel J Walsh
0 siblings, 1 reply; 2+ messages in thread
From: Christopher J. PeBenito @ 2007-03-06 14:23 UTC (permalink / raw)
To: dwalsh; +Cc: selinux
On Mon, 2007-02-26 at 12:38 -0500, dwalsh@localhost.localdomain wrote:
> ricci modstorage needs to be able to configure lvm and work with ccs
Merged except for one bit:
> ===File /tmp/patches/done/nsaserefpolicy_policy_modules_services_ricci.patch===
> --- nsaserefpolicy/policy/modules/services/ricci.te 2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.5/policy/modules/services/ricci.te 2007-02-26 11:02:34.000000000 -0500
> @@ -448,7 +449,7 @@
> # ricci_modstorage local policy
> #
>
> -allow ricci_modstorage_t self:process { setsched signal };
> +allow ricci_modstorage_t self:process { setsched signal ptrace };
> allow ricci_modstorage_t self:capability { mknod sys_nice };
> allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
> allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
Sure this shouldn't be dontaudited instead?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ricci changes in policy
2007-03-06 14:23 ` ricci changes in policy Christopher J. PeBenito
@ 2007-03-06 14:40 ` Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2007-03-06 14:40 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: selinux
Christopher J. PeBenito wrote:
> On Mon, 2007-02-26 at 12:38 -0500, dwalsh@localhost.localdomain wrote:
>
>> ricci modstorage needs to be able to configure lvm and work with ccs
>>
>
> Merged except for one bit:
>
>
>> ===File /tmp/patches/done/nsaserefpolicy_policy_modules_services_ricci.patch===
>> --- nsaserefpolicy/policy/modules/services/ricci.te 2007-02-19 11:32:53.000000000 -0500
>> +++ serefpolicy-2.5.5/policy/modules/services/ricci.te 2007-02-26 11:02:34.000000000 -0500
>> @@ -448,7 +449,7 @@
>> # ricci_modstorage local policy
>> #
>>
>> -allow ricci_modstorage_t self:process { setsched signal };
>> +allow ricci_modstorage_t self:process { setsched signal ptrace };
>> allow ricci_modstorage_t self:capability { mknod sys_nice };
>> allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
>> allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
>>
>
> Sure this shouldn't be dontaudited instead?
>
>
We can try. I find in some cases it is required, if the confined domain
actually wants to read a value. For example, hal currently reads an
environment variable and requires ptrace.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-03-06 14:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <200702261738.l1QHcBUu030687@localhost.localdomain>
2007-03-06 14:23 ` ricci changes in policy Christopher J. PeBenito
2007-03-06 14:40 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.