djbdns patch

djbdns patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 42 bytes --]

Make     ucspitcp_service_domain optional

[-- Attachment #2: djbdns.patch --]
[-- Type: text/x-patch, Size: 434 bytes --]

--- nsaserefpolicy/policy/modules/services/djbdns.te	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/services/djbdns.te	2007-03-22 15:06:59.000000000 -0400
@@ -44,4 +44,7 @@
 libs_use_ld_so(djbdns_axfrdns_t)
 libs_use_shared_libs(djbdns_axfrdns_t)
 
-ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+optional_policy(`
+	ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+')
+

Re: djbdns patch

[Christopher J. PeBenito]

On Fri, 2007-03-23 at 16:00 -0400, Daniel J Walsh wrote:
> Make     ucspitcp_service_domain optional

Perhaps this should be made an init_daemon_domain() too?

> 
> 
> 
> 
> 
> differences
> between files
> attachment
> (djbdns.patch),
> "djbdns.patch"
> 
> --- nsaserefpolicy/policy/modules/services/djbdns.te    2007-01-02 12:57:43.000000000 -0500
> +++ serefpolicy-2.5.10/policy/modules/services/djbdns.te        2007-03-22 15:06:59.000000000 -0400
> @@ -44,4 +44,7 @@
>  libs_use_ld_so(djbdns_axfrdns_t)
>  libs_use_shared_libs(djbdns_axfrdns_t)
>  
> -ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
> +optional_policy(`
> +       ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
> +')
> +
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: djbdns patch

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 1536 bytes --]


Hi,

On Tue, Apr 10, 2007 at 08:46:39AM -0400, Christopher J. PeBenito wrote:
> On Fri, 2007-03-23 at 16:00 -0400, Daniel J Walsh wrote:
> > Make     ucspitcp_service_domain optional
> 
> Perhaps this should be made an init_daemon_domain() too?

axfrdns runs under tcpserver [1], it is not a stand-alone daemon, so I see no reason why it should be an init_daemon_domain().

also I wonder what use would it be to have the djbdns module loaded without also loading the ucspitcp one.

[1] http://cr.yp.to/djbdns/axfrdns.html

"Normally axfrdns runs under tcpserver to handle TCP connections on port 53 of a local IP address. tcpserver is responsible for rejecting connections from hosts not authorized to perform zone transfers. axfrdns can also run under secure connection tools offering an UCSPI-compliant interface."

> > differences
> > between files
> > attachment
> > (djbdns.patch),
> > "djbdns.patch"
> > 
> > --- nsaserefpolicy/policy/modules/services/djbdns.te    2007-01-02 12:57:43.000000000 -0500
> > +++ serefpolicy-2.5.10/policy/modules/services/djbdns.te        2007-03-22 15:06:59.000000000 -0400
> > @@ -44,4 +44,7 @@
> >  libs_use_ld_so(djbdns_axfrdns_t)
> >  libs_use_shared_libs(djbdns_axfrdns_t)
> >  
> > -ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
> > +optional_policy(`
> > +       ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
> > +')
> > +

cheers,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]