* [refpolicy] roles_staff.patch
@ 2009-05-21 15:35 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2009-05-21 15:35 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/roles_staff.patch
Fedora version of staff, I don't think we want all of these transitions,
just because we have bad policy does not mean we have to use it.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] roles_staff.patch
@ 2010-08-26 22:32 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:32 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_unprivuser.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_sysadm.patch
Separate out the interfaces I do not want
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx264gACgkQrlYvE4MpobMo9QCdFGoodXQVfncIpQOvysw2GUEI
jCoAoKATaWvbPyc27Bc5xe0pePggQRUu
=z4PO
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] roles_staff.patch
@ 2010-06-02 20:31 Daniel J Walsh
2010-07-06 12:42 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:31 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
Allow staff user to exec files on removable devices
Needs access to run sandbox
Additional access for staff reading kernel info.
staff_t needs to run newrole to relabel content in his homedir
Needs to run ping
Added distro_redhat to eliminate all of the transitions that we did not
want.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] roles_staff.patch
2010-06-02 20:31 Daniel J Walsh
@ 2010-07-06 12:42 ` Christopher J. PeBenito
2010-07-12 14:19 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2010-07-06 12:42 UTC (permalink / raw)
To: refpolicy
On 06/02/10 16:31, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
>
> Allow staff user to exec files on removable devices
>
> Needs access to run sandbox
>
> Additional access for staff reading kernel info.
>
> staff_t needs to run newrole to relabel content in his homedir
>
> Needs to run ping
>
> Added distro_redhat to eliminate all of the transitions that we did not
> want.
This needs to be cleaned up, its way off from typical refpolicy style.
Also, instead of ifndef'ing individual optional blocks, they should all
be collected into one big ifndef block.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] roles_staff.patch
2010-07-06 12:42 ` Christopher J. PeBenito
@ 2010-07-12 14:19 ` Daniel J Walsh
2010-07-19 17:28 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2010-07-12 14:19 UTC (permalink / raw)
To: refpolicy
On 07/06/2010 08:42 AM, Christopher J. PeBenito wrote:
> On 06/02/10 16:31, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
>>
>> Allow staff user to exec files on removable devices
>>
>> Needs access to run sandbox
>>
>> Additional access for staff reading kernel info.
>>
>> staff_t needs to run newrole to relabel content in his homedir
>>
>> Needs to run ping
>>
>> Added distro_redhat to eliminate all of the transitions that we did not
>> want.
>
> This needs to be cleaned up, its way off from typical refpolicy style.
> Also, instead of ifndef'ing individual optional blocks, they should all
> be collected into one big ifndef block.
>
>
I originally did this but I thought you asked me to move it to this
format to make the changes less severe.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] roles_staff.patch
2010-07-12 14:19 ` Daniel J Walsh
@ 2010-07-19 17:28 ` Christopher J. PeBenito
2010-07-20 18:40 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2010-07-19 17:28 UTC (permalink / raw)
To: refpolicy
On 07/12/10 10:19, Daniel J Walsh wrote:
> On 07/06/2010 08:42 AM, Christopher J. PeBenito wrote:
>> On 06/02/10 16:31, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
>>>
>>> Allow staff user to exec files on removable devices
>>>
>>> Needs access to run sandbox
>>>
>>> Additional access for staff reading kernel info.
>>>
>>> staff_t needs to run newrole to relabel content in his homedir
>>>
>>> Needs to run ping
>>>
>>> Added distro_redhat to eliminate all of the transitions that we did not
>>> want.
>>
>> This needs to be cleaned up, its way off from typical refpolicy style.
>> Also, instead of ifndef'ing individual optional blocks, they should all
>> be collected into one big ifndef block.
>>
>>
> I originally did this but I thought you asked me to move it to this
> format to make the changes less severe.
Did I? If so, sorry about the confusion. I would prefer that there be
just the single distro_redhat block. But if you can separate the patch
into two: one that moves current rules into the ifndef distro_redhat
block and another that has all the other unrelated changes, that would
make it easier.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] roles_staff.patch
2010-07-19 17:28 ` Christopher J. PeBenito
@ 2010-07-20 18:40 ` Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2010-07-20 18:40 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/19/2010 01:28 PM, Christopher J. PeBenito wrote:
> On 07/12/10 10:19, Daniel J Walsh wrote:
>> On 07/06/2010 08:42 AM, Christopher J. PeBenito wrote:
>>> On 06/02/10 16:31, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
>>>>
>>>> Allow staff user to exec files on removable devices
>>>>
>>>> Needs access to run sandbox
>>>>
>>>> Additional access for staff reading kernel info.
>>>>
>>>> staff_t needs to run newrole to relabel content in his homedir
>>>>
>>>> Needs to run ping
>>>>
>>>> Added distro_redhat to eliminate all of the transitions that we did not
>>>> want.
>>>
>>> This needs to be cleaned up, its way off from typical refpolicy style.
>>> Also, instead of ifndef'ing individual optional blocks, they should all
>>> be collected into one big ifndef block.
>>>
>>>
>> I originally did this but I thought you asked me to move it to this
>> format to make the changes less severe.
>
> Did I? If so, sorry about the confusion. I would prefer that there be
> just the single distro_redhat block. But if you can separate the patch
> into two: one that moves current rules into the ifndef distro_redhat
> block and another that has all the other unrelated changes, that would
> make it easier.
>
>
This patch removes the role transitions from staff.te, unprivuser.te and
sysadm.te for the redhat policies.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxF7YoACgkQrlYvE4MpobOolQCggKsC1tx29n9zGquB/QMOgghx
FiwAnj4dtH4IgfOLwZCCUZMhD+eq8cn4
=WGuF
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: role_trans.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20100720/dd18c081/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: role_trans.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100720/dd18c081/attachment.bin
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] roles_staff.patch
@ 2010-02-17 15:54 Daniel J Walsh
2010-02-18 16:32 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2010-02-17 15:54 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_staff.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unprivuser.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_sysadm.patch
Updated patches including ifndef redhat to remove all the old cruft caused by the per_role_template in ancient policy.
staff - Add setexec so it can use sandbox
Allow it to read kernel state.
Allow it to use rtkit
Lots of real world access required by staff_usertype.
Also allow staff_t to transition to unconfined_t through sudo.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] roles_staff.patch
@ 2009-11-12 21:07 Daniel J Walsh
2010-02-17 14:05 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2009-11-12 21:07 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_staff.patch
add setexec so staff_t can run sandbox. Maybe want to add to user_t also.
I think we need to remove all the role transition stuff from staff_t and allow users to choose which domains they want to play with
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] roles_staff.patch
@ 2009-03-05 16:26 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2009-03-05 16:26 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/roles_staff.patch
staff should not have access to all these roles, most of them are crap.
Lots of additional access needed for staff.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmv/SwACgkQrlYvE4MpobOYwwCcCgGVpUHOGer7e8QH7KclrU0z
7HsAnRHGtrH49ICSqjXceW13pMWlRfzw
=G19v
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2010-08-26 22:32 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-05-21 15:35 [refpolicy] roles_staff.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 22:32 Daniel J Walsh
2010-06-02 20:31 Daniel J Walsh
2010-07-06 12:42 ` Christopher J. PeBenito
2010-07-12 14:19 ` Daniel J Walsh
2010-07-19 17:28 ` Christopher J. PeBenito
2010-07-20 18:40 ` Daniel J Walsh
2010-02-17 15:54 Daniel J Walsh
2010-02-18 16:32 ` Christopher J. PeBenito
2010-02-18 17:57 ` Daniel J Walsh
2010-02-19 13:47 ` Christopher J. PeBenito
2009-11-12 21:07 Daniel J Walsh
2010-02-17 14:05 ` Christopher J. PeBenito
2009-03-05 16:26 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.