From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] roles_unconfineduser.patch
Date: Wed, 30 Sep 2009 08:49:26 -0400 [thread overview]
Message-ID: <4AC353D6.8040209@redhat.com> (raw)
In-Reply-To: <200909301756.59551.russell@coker.com.au>
On 09/30/2009 03:56 AM, Russell Coker wrote:
> On Wed, 30 Sep 2009, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> kernel_t, rpm_t, unconfined_t. We want these to be unconfined_domains no
>> matter what unconfined_t would be eliminated if you removed
>> unconfineduser.pp
>>
>> I don't see ways that you can realistically run with out kernel_t and rpm_t
>> being unconfined.
>
> We did have usable systems for years before the concept of an "unconfined
> domain" was invented. Of course we did occasionally run into problems like
> the kernel Oops on shutdown if kernel_t was not permitted to create a UDP
> socket.
>
> In a more general sense, rpm_t needs to be able to create files with few
> restrictions (we could restrict it from accessing /home but that would
> involve some pain). kernel_t needs to be able to mess with other processes
> and network operations in any way that it desires but should have no
> filesystem access other than that which is required to run init and modprobe
> (or maybe hotplug too - what's the latest plan for kernel support of new
> devices?).
>
Do you use NFS? AFS? Kernel threads need access to the file system
next prev parent reply other threads:[~2009-09-30 12:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-28 20:21 [refpolicy] roles_unconfineduser.patch Daniel J Walsh
2009-09-29 13:24 ` Christopher J. PeBenito
2009-09-29 13:42 ` Daniel J Walsh
2009-09-29 14:44 ` Christopher J. PeBenito
2009-09-29 19:10 ` Daniel J Walsh
2009-09-29 19:50 ` Christopher J. PeBenito
2009-09-29 20:01 ` Daniel J Walsh
2009-09-30 7:56 ` Russell Coker
2009-09-30 12:49 ` Daniel J Walsh [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-11-12 21:08 Daniel J Walsh
2010-06-02 20:33 Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AC353D6.8040209@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.