* [refpolicy] system_userdomain.patch
@ 2009-03-04 18:05 Daniel J Walsh
0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2009-03-04 18:05 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch
The biggest change in this patch is the addition of the $1_usertype.
Instead of using $1_t for all user access, I use $1_usertype. This
allows me to make $1_java_t == $1_t + { execmem execstack}. Similar for
$1_mono_t.
Changed many templates to interfaces, since they were not defining new
types.
Added labeling for symbolic links of homedirs
Labeling for /dev/shm files.
My labeling of /root
added userhomereader attribute in order to allow tunables within tunables.
Added user_home_type handling so we can define additionaly types to the
home dir and still allow users to manage them. (ssh_home_t for example.)
Removed a couple of old booleans that really do not make sense
user_dmesg? Should be only applied to a particular type staff_t maybe,
not all users. guest_t will never run dmesg.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmuwtgACgkQrlYvE4MpobNoAwCgjcErx5UIQQS91KBMYMnhAl3F
HlgAoLRQrISDwEe00jx73VWzQnq3sBpI
=TwUE
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] system_userdomain.patch
@ 2009-11-12 22:18 Daniel J Walsh
2010-02-12 20:26 ` Christopher J. PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2009-11-12 22:18 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_userdomain.patch
Widely varied from upstream because of consolodating on attributes rather then types.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] system_userdomain.patch
2009-11-12 22:18 Daniel J Walsh
@ 2010-02-12 20:26 ` Christopher J. PeBenito
2010-02-13 12:20 ` Daniel J Walsh
0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2010-02-12 20:26 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-11-12 at 17:18 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_userdomain.patch
>
> Widely varied from upstream because of consolodating on attributes
> rather then types.
In principle this is fine, but I'm trying to hold out for a proper
clone/copy mechanism to be available again. When that comes around, I'd
have to undo this change.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] system_userdomain.patch
2010-02-12 20:26 ` Christopher J. PeBenito
@ 2010-02-13 12:20 ` Daniel J Walsh
0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2010-02-13 12:20 UTC (permalink / raw)
To: refpolicy
On 02/12/2010 03:26 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:18 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_userdomain.patch
>>
>> Widely varied from upstream because of consolodating on attributes
>> rather then types.
>
> In principle this is fine, but I'm trying to hold out for a proper
> clone/copy mechanism to be available again. When that comes around, I'd
> have to undo this change.
>
Maybe, but we have been waiting for the clone/copy mechansim for several years now. :^(
I have a hard time many people can use confined users without this mechanism or other distros do not use the exec* checks.
Or they do not use java/mono applications.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] system_userdomain.patch
@ 2010-08-26 23:45 Daniel J Walsh
0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2010-08-26 23:45 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/system_userdomain.patch
LOts of fixes. Chery pick?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx2/LMACgkQrlYvE4MpobM4tQCfYo/s45CNkbYPHUg5uK3ZJ02X
FroAoNKNcgB1goR0TRK9m+0mVxMZJeAg
=6SkR
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-08-26 23:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-04 18:05 [refpolicy] system_userdomain.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2009-11-12 22:18 Daniel J Walsh
2010-02-12 20:26 ` Christopher J. PeBenito
2010-02-13 12:20 ` Daniel J Walsh
2010-08-26 23:45 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.