[refpolicy] admin_firstboot.patch

[refpolicy] admin_firstboot.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patch

Remove TODO, If we have not done it yet we should forgetabout it

Needs to run as an xserver_unconfined

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjaqP8ACgkQrlYvE4MpobNusQCdErcC5u3/Hu49J8DdHB8dcyYP
OhgAnidl5D06pFkqUWGox1h2Yuuzn6GA
=srgX
-----END PGP SIGNATURE-----

[refpolicy] admin_firstboot.patch

[Russell Coker]

On Thursday 25 September 2008 06:54, Daniel J Walsh <dwalsh@redhat.com> wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patch
>
> Remove TODO, If we have not done it yet we should forgetabout it
>
> Needs to run as an xserver_unconfined

What is the point of having a firstboot_t?  Why not just make it a typealias 
for unconfined_t?

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

[refpolicy] admin_firstboot.patch

[Daniel J Walsh]

Russell Coker wrote:
> On Thursday 25 September 2008 06:54, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patch
>>
>> Remove TODO, If we have not done it yet we should forgetabout it
>>
>> Needs to run as an xserver_unconfined
> 
> What is the point of having a firstboot_t?  Why not just make it a typealias 
> for unconfined_t?
> 
Probably not, although there may be some transitions for firstboot_t
which are not there for unconfined_t.  Both are unconfined domains.

[refpolicy] admin_firstboot.patch

[Russell Coker]

On Friday 26 September 2008 06:12, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Russell Coker wrote:
> > On Thursday 25 September 2008 06:54, Daniel J Walsh <dwalsh@redhat.com> 
wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patc
> >>h
> >>
> >> Remove TODO, If we have not done it yet we should forgetabout it
> >>
> >> Needs to run as an xserver_unconfined
> >
> > What is the point of having a firstboot_t?  Why not just make it a
> > typealias for unconfined_t?
>
> Probably not, although there may be some transitions for firstboot_t
> which are not there for unconfined_t.  Both are unconfined domains.

Why would you want such a transition?

firstboot is used to configure firewalls and things, being able to configure 
them as unconfined_t is desirable and probably necessary.

>From a high-level concept I can't imagine why you would want firstboot_t 
having any transition that unconfined_t lacks.

In terms of reducing policy size (and therefore memory use and disk space), 
removing needless unconfined domains is the best thing to do.

A recent change that I've made is removing unconfined_crond_t and making 
unconfined cron jobs run as unconfined_t.

I'm also wondering whether any of the $1_crond_t domains actually do any good.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

[refpolicy] admin_firstboot.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russell Coker wrote:
> On Friday 26 September 2008 06:12, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> Russell Coker wrote:
>>> On Thursday 25 September 2008 06:54, Daniel J Walsh <dwalsh@redhat.com> 
> wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patc
>>>> h
>>>>
>>>> Remove TODO, If we have not done it yet we should forgetabout it
>>>>
>>>> Needs to run as an xserver_unconfined
>>> What is the point of having a firstboot_t?  Why not just make it a
>>> typealias for unconfined_t?
>> Probably not, although there may be some transitions for firstboot_t
>> which are not there for unconfined_t.  Both are unconfined domains.
> 
> Why would you want such a transition?
> 
Well we also have the problem of machines without the unconfined domain.
 (MLS, Strict).  So I am not sure how to fix those.  As I have stated
before I think removing the unconfined domain is a mistake, I would much
rather be able to take the unconfined_domain privs away from initrc_t
and other unconfined domains and leave unconfined_t even for MLS
machines, when running as full administrator.  Tools like rpm and dpkg,
firstboot are almost always going to need to be unconfined.  file_trans
is what I was talking about.  Making sure files created in /etc have the
right context.  We can experiment with removing firstboot policy after
F10 is released, to make sure it does not cause any problems.
> firstboot is used to configure firewalls and things, being able to configure 
> them as unconfined_t is desirable and probably necessary.
> 
> From a high-level concept I can't imagine why you would want firstboot_t 
> having any transition that unconfined_t lacks.
> 
> In terms of reducing policy size (and therefore memory use and disk space), 
> removing needless unconfined domains is the best thing to do.
> 
> A recent change that I've made is removing unconfined_crond_t and making 
> unconfined cron jobs run as unconfined_t.
> 
> I'm also wondering whether any of the $1_crond_t domains actually do any good.
> 
Fedora does not use $1_crond_t any longer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjc26oACgkQrlYvE4MpobPALQCggiaj+TVbCDBcXx35WtzI25l+
BP8AoKS20L3NUo8zuOWZMA+558IcrY9+
=Ni/E
-----END PGP SIGNATURE-----

[refpolicy] admin_firstboot.patch

[Russell Coker]

On Friday 26 September 2008 22:55, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >> Probably not, although there may be some transitions for firstboot_t
> >> which are not there for unconfined_t.  Both are unconfined domains.
> >
> > Why would you want such a transition?
>
> Well we also have the problem of machines without the unconfined domain.
>  (MLS, Strict).  So I am not sure how to fix those.  As I have stated

Is it now possible to have a machine installed with MLS policy and never run 
any other policy?

> before I think removing the unconfined domain is a mistake, I would much
> rather be able to take the unconfined_domain privs away from initrc_t
> and other unconfined domains and leave unconfined_t even for MLS
> machines, when running as full administrator.

That sounds reasonable.

> > I'm also wondering whether any of the $1_crond_t domains actually do any
> > good.
>
> Fedora does not use $1_crond_t any longer.

So staff_t cron jobs run as staff_t etc?

OK, I'll do the same for Lenny.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

[refpolicy] admin_firstboot.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F13/admin_firstboot.patch

First boot sends dbus messages.

[refpolicy] admin_firstboot.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F14/admin_firstboot.patch

firstboot needs to domtrans to depmod to maintain proper labeling.

Also writes to gnome content

Needs to start xserver

[refpolicy] admin_firstboot.patch

[Christopher J. PeBenito]

On 06/02/10 15:47, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/admin_firstboot.patch
>
> firstboot needs to domtrans to depmod to maintain proper labeling.
>
> Also writes to gnome content
>
> Needs to start xserver

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] admin_firstboot.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/admin_firstboot.patch

first boot runs consoletype

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx2z34ACgkQrlYvE4MpobPjlwCgnTbsClPZQwaMDSV/ZAQiEXhy
Qx4AoLfW4XP3OKizSctKyWfnioi9hRFv
=OGtO
-----END PGP SIGNATURE-----

[refpolicy] admin_firstboot.patch

[Christopher J. PeBenito]

On 08/26/10 16:33, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/admin_firstboot.patch
>
> first boot runs consoletype

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com