* [refpolicy] services_smartmon.patch
@ 2008-09-24 20:00 Daniel J Walsh
2008-10-08 20:07 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-09-24 20:00 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_smartmon.patch
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
smarmon reads netlink route information
Needs to resolve dns names
Some one said it needs mls_file_write_all_levels
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjanHYACgkQrlYvE4MpobO9RQCgmvGqfFeFqipX8fDSR+Fmjm+P
SDoAoLYHhVZEkjJxMNE3tHtvcHKZtJ7f
=Wwi6
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
2008-09-24 20:00 Daniel J Walsh
@ 2008-10-08 20:07 ` Christopher J. PeBenito
2008-10-09 0:53 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-10-08 20:07 UTC (permalink / raw)
To: refpolicy
On Wed, 2008-09-24 at 16:00 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_smartmon.patch
>
> Add initrc script support
>
> allow admin to start/stop service
>
> Admin needs admin_pattern on all file types
>
> smarmon reads netlink route information
>
> Needs to resolve dns names
>
> Some one said it needs mls_file_write_all_levels
Merged except for the MLS bit. Shouldn't it instead be running at
system high? Its purpose is to monitor the disks which are all system
high.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
2008-10-08 20:07 ` Christopher J. PeBenito
@ 2008-10-09 0:53 ` Daniel J Walsh
2008-10-10 17:20 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-09 0:53 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Wed, 2008-09-24 at 16:00 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_smartmon.patch
>>
>> Add initrc script support
>>
>> allow admin to start/stop service
>>
>> Admin needs admin_pattern on all file types
>>
>> smarmon reads netlink route information
>>
>> Needs to resolve dns names
>>
>> Some one said it needs mls_file_write_all_levels
>
> Merged except for the MLS bit. Shouldn't it instead be running at
> system high? Its purpose is to monitor the disks which are all system
> high.
>
Updated smartmon patch to run at system_high, also latest fsdaemon
creates devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjtViQACgkQrlYvE4MpobNrEwCgzm58ptokqlQ4Dgg8ENYoqbmA
FpEAoJNmQLI/l/qMBqa2UZfB6x9tANoy
=PR9l
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_smartmon.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081008/84211391/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_smartmon.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081008/84211391/attachment.obj
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
2008-10-09 0:53 ` Daniel J Walsh
@ 2008-10-10 17:20 ` Christopher J. PeBenito
2008-10-14 15:04 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-10-10 17:20 UTC (permalink / raw)
To: refpolicy
On Wed, 2008-10-08 at 20:53 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2008-09-24 at 16:00 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_smartmon.patch
> >>
> >> Add initrc script support
> >>
> >> allow admin to start/stop service
> >>
> >> Admin needs admin_pattern on all file types
> >>
> >> smarmon reads netlink route information
> >>
> >> Needs to resolve dns names
> >>
> >> Some one said it needs mls_file_write_all_levels
> >
> > Merged except for the MLS bit. Shouldn't it instead be running at
> > system high? Its purpose is to monitor the disks which are all system
> > high.
> >
> Updated smartmon patch to run at system_high, also latest fsdaemon
> creates devices.
I don't see a range transition. Also, if its running at system high,
does it still need the mls_file_write_all_levels()?
> plain text document attachment (services_smartmon.patch)
> --- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-08 19:00:27.000000000 -0400
> +++ serefpolicy-3.5.11/policy/modules/services/smartmon.te 2008-10-08 20:36:17.000000000 -0400
> @@ -26,7 +26,7 @@
>
> allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
> dontaudit fsdaemon_t self:capability sys_tty_config;
> -allow fsdaemon_t self:process signal_perms;
> +allow fsdaemon_t self:process { signal_perms setfscreate };
> allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
> allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
> allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
> @@ -66,6 +66,7 @@
> fs_search_auto_mountpoints(fsdaemon_t)
>
> mls_file_read_all_levels(fsdaemon_t)
> +mls_file_write_all_levels(fsdaemon_t)
>
> storage_raw_read_fixed_disk(fsdaemon_t)
> storage_raw_write_fixed_disk(fsdaemon_t)
> @@ -99,3 +100,10 @@
> optional_policy(`
> udev_read_db(fsdaemon_t)
> ')
> +
> +dev_del_entry_generic_dirs(fsdaemon_t)
> +storage_dev_filetrans_fixed_disk(fsdaemon_t)
> +storage_manage_fixed_disk(fsdaemon_t)
> +seutil_read_file_contexts(fsdaemon_t)
> +selinux_validate_context(fsdaemon_t)
> +
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
2008-10-10 17:20 ` Christopher J. PeBenito
@ 2008-10-14 15:04 ` Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-14 15:04 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The patch has been updated. to transition to system_high
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkj0tRoACgkQrlYvE4MpobMPAQCgzTB/Fr5XSy/hHglaR8RikibI
okgAoIsZHJXD4KgZ5B7I9KB0k44qMwBi
=zg3f
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
@ 2009-03-05 17:03 Daniel J Walsh
2009-03-23 15:24 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2009-03-05 17:03 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_smartmon.patch
smartmon needs to be ranged.
Has the ability to create files with the correct context
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmwBesACgkQrlYvE4MpobMjIgCg34LZ3DCIcC8lq6US09Gso0Hv
9q4AoKMO83o7+sf3IA+nNuWmzVRJdi1U
=BqUc
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
2009-03-05 17:03 [refpolicy] services_smartmon.patch Daniel J Walsh
@ 2009-03-23 15:24 ` Christopher J. PeBenito
2009-03-23 18:14 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2009-03-23 15:24 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-03-05 at 13:03 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_smartmon.patch
>
> smartmon needs to be ranged.
>
> Has the ability to create files with the correct context
Why is this managing fixed disks? I thought it was only monitoring
disks.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
2009-03-23 15:24 ` Christopher J. PeBenito
@ 2009-03-23 18:14 ` Daniel J Walsh
2009-03-23 19:00 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2009-03-23 18:14 UTC (permalink / raw)
To: refpolicy
On 03/23/2009 11:24 AM, Christopher J. PeBenito wrote:
> On Thu, 2009-03-05 at 13:03 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_smartmon.patch
>>
>> smartmon needs to be ranged.
>>
>> Has the ability to create files with the correct context
>
> Why is this managing fixed disks? I thought it was only monitoring
> disks.
>
Search for this line in the os_linux.cpp file
/* This function will setup and fix device nodes for a 3ware controller. */
We have had to add SELinux inteligence to make sure the device nodes are
labelled correctly.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: os_linux.cpp
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20090323/ce909b78/attachment-0001.pl
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
2009-03-23 18:14 ` Daniel J Walsh
@ 2009-03-23 19:00 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2009-03-23 19:00 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-03-23 at 14:14 -0400, Daniel J Walsh wrote:
> On 03/23/2009 11:24 AM, Christopher J. PeBenito wrote:
> > On Thu, 2009-03-05 at 13:03 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_smartmon.patch
> >>
> >> smartmon needs to be ranged.
> >>
> >> Has the ability to create files with the correct context
> >
> > Why is this managing fixed disks? I thought it was only monitoring
> > disks.
> >
> Search for this line in the os_linux.cpp file
>
> /* This function will setup and fix device nodes for a 3ware controller. */
I prefer this to be conditional, so the majority of people without 3ware
controllers can be safe from additional raw disk access.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
@ 2009-06-09 1:08 Daniel J Walsh
2009-07-20 18:32 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2009-06-09 1:08 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_smartmon.patch
Fixes for fsdaemon
Run at systemhigh
Creates fixed disk so needs to label them
Has SELinux knowledge built in.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
2009-06-09 1:08 Daniel J Walsh
@ 2009-07-20 18:32 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2009-07-20 18:32 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-06-08 at 21:08 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_smartmon.patch
>
>
> Fixes for fsdaemon
>
> Run at systemhigh
>
> Creates fixed disk so needs to label them
>
> Has SELinux knowledge built in.
Can we move the SELinux-aware bits into a tunable, such as
smartmon_3ware?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
@ 2009-11-12 22:00 Daniel J Walsh
2009-12-18 15:48 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2009-11-12 22:00 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_smartmon.patch
drops cababilities
needs to be ranged.
creates its own devices needs to label.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
2009-11-12 22:00 Daniel J Walsh
@ 2009-12-18 15:48 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2009-12-18 15:48 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-11-12 at 17:00 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_smartmon.patch
>
> drops cababilities
>
> needs to be ranged.
Merged.
> creates its own devices needs to label.
Moved this into a tunable, as we discussed previously.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_smartmon.patch
@ 2010-08-26 22:20 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:20 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_smartmon.patch
Reads/writes generic scsi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx26K0ACgkQrlYvE4MpobMvbACfT48x05+jtYavTOnKZlg/xxyY
sPgAoMM937FT3vOsLbAk7yUetc3XGHAC
=YDW0
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2010-08-26 22:20 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-05 17:03 [refpolicy] services_smartmon.patch Daniel J Walsh
2009-03-23 15:24 ` Christopher J. PeBenito
2009-03-23 18:14 ` Daniel J Walsh
2009-03-23 19:00 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 22:20 Daniel J Walsh
2009-11-12 22:00 Daniel J Walsh
2009-12-18 15:48 ` Christopher J. PeBenito
2009-06-09 1:08 Daniel J Walsh
2009-07-20 18:32 ` Christopher J. PeBenito
2008-09-24 20:00 Daniel J Walsh
2008-10-08 20:07 ` Christopher J. PeBenito
2008-10-09 0:53 ` Daniel J Walsh
2008-10-10 17:20 ` Christopher J. PeBenito
2008-10-14 15:04 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.