From: Joshua Brindle <method@manicmethod.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, paul.moore@hp.com
Subject: Re: [patch 2/2] Peersid capability support
Date: Wed, 07 Nov 2007 17:12:38 -0500 [thread overview]
Message-ID: <47323856.6050501@manicmethod.com> (raw)
In-Reply-To: <1194469634.3956.174.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Wed, 2007-11-07 at 15:50 -0500, Joshua Brindle wrote:
>
>> plain text document attachment (peersid_cap.patch)
>> Peersid capability support, keys the peersid capability on the peer object class.
>>
>
> I'm uneasy about this approach, as it is similar to what we originally
> tried for secmark - tying the compat_net setting to the presence of the
> packet class in the policy, except there we were doing it at policy load
> time. As it turned out, we had policies that defined the packet class
> well before we had usable rule sets for them, and even if we had covered
> that angle, presence/absence of a class definition doesn't reflect
> policy writer intent (e.g. does he want legacy network controls or
> secmark irrespective of whether he is using a modern policy), so we went
> back to manual setting of compat_net.
>
>
With the unknown perms support can we basically require that defining a
class means using it? Unfortunately that means we have to defer adding
newer classes until the support is put in for the older ones.
> What if the base.conf / policy.conf itself had an explicit declaration
> of the capabilities to be enabled? We can certainly do sanity checks
> too (e.g. if they ask for this capability but haven't defined the
> requisite class, that's a bug in their policy), but that would let
> someone use the latest policy flask definitions but still select what
> they want to enable/disable explicitly, and no unwitting enabling of
> capabilities by side effect.
>
>
I would also hate to add more base-only options as eventually I think
we'd like to get rid of (at least I would) the base altogether and get
everything into modules, assuming we get the necessary infrastructure in
place like kernel class discovery.
I'm not adverse to putting capabilities in the policy though, I just
don't know if thats the only place where it is appropriate to put them.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2007-11-07 22:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-07 20:50 [patch 0/2] policy capabilities and netpeer support Joshua Brindle
2007-11-07 20:50 ` [patch 1/2] Version 22/Policy capability support Joshua Brindle
2007-11-07 20:50 ` [patch 2/2] Peersid " Joshua Brindle
2007-11-07 21:07 ` Stephen Smalley
2007-11-07 21:23 ` Joshua Brindle
2007-11-07 21:54 ` Paul Moore
2007-11-07 22:12 ` Joshua Brindle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47323856.6050501@manicmethod.com \
--to=method@manicmethod.com \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.