[refpolicy] services_rpc.patch

[refpolicy] services_rpc.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_rpc.patch

All rpc bind domains call bindresvports witch binds to ports 600-1023
(rpc ports)

Add interface to start rpcd_t

Label /etc/exports as a config file

Dontaudit rpcd_t looking at kernel core interface


Transition files created in users home dirs to proper label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkj098YACgkQrlYvE4MpobO/BACaA4JLhtWYVf3oURtX2D+7b7gP
wvsAmwRt8KAmk0lrqSDbXHkD5NYU4L43
=ITq4
-----END PGP SIGNATURE-----

[refpolicy] services_rpc.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_rpc.patch

Add rpc.rquotad file context

Bind only to the rpc ports for all rpc 600-1023

mount now starts the rpcd daemon and gets a signal back when it completes

dontaudit getattr_core if for daemons

nfsd gettattr on everything in /dev, probably checking for size.

if nfsd is exporting the /home/dwalsh directory we want to make sure it creates user_home_t and not user_home_dir_t

If you are exporting any file with nfsd then we need to be able to gettattr on all pipes, sockets, blk files and chr files.

gssd_t writes to the auth cache when using pscd and coolkey

gssd uses kerberos keytabs

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmsXqMACgkQrlYvE4MpobNjHACbB9YVyf7GGJMjuS6NZ0zB285y
qrgAn0nf9Kp1h25V8+/IorZwa3Bu7VMO
=Sbuv
-----END PGP SIGNATURE-----

[refpolicy] services_rpc.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_rpc.patch

Add label for rcp.rquotad

Only binds to ports 600-1024

Sends a signal to whoever starts it

nfsd needs to getattr on all devices

Manages cache.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmwBTMACgkQrlYvE4MpobOwqQCfTR0U/Sk/ekoRumiz8dGqqkbV
SOQAoNQxjJTFPakAQbsUkwqjdVv/mw9K
=2tFD
-----END PGP SIGNATURE-----

[refpolicy] services_rpc.patch

[Christopher J. PeBenito]

On Mon, 2009-03-02 at 17:33 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_rpc.patch
> 
> Add rpc.rquotad file context
> 
> Bind only to the rpc ports for all rpc 600-1023
> 
> mount now starts the rpcd daemon and gets a signal back when it completes
> 
> dontaudit getattr_core if for daemons
> 
> nfsd gettattr on everything in /dev, probably checking for size.
> 
> if nfsd is exporting the /home/dwalsh directory we want to make sure it creates user_home_t and not user_home_dir_t
> 
> If you are exporting any file with nfsd then we need to be able to gettattr on all pipes, sockets, blk files and chr files.
> 
> gssd_t writes to the auth cache when using pscd and coolkey
> 
> gssd uses kerberos keytabs

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_rpc.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_rpc.patch

rpcs sends signals to mount, kernel automount

Add rpc.quota to label to needs to be able to getattr and get quota info 
off file systems

[refpolicy] services_rpc.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_rpc.patch

cleanup

[refpolicy] services_rpc.patch

[Christopher J. PeBenito]

On Thu, 2009-11-12 at 16:57 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_rpc.patch
> 
> cleanup

Why would this be doing raw reads on removable devices?

Why is a user_home_dir_t -> user_home_t filetrans required for nfsd_t?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_rpc.patch

[Daniel J Walsh]

On 02/12/2010 03:41 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 16:57 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_rpc.patch
>>
>> cleanup
> 
> Why would this be doing raw reads on removable devices?
> 
> Why is a user_home_dir_t -> user_home_t filetrans required for nfsd_t?
> 
Perhaps you homedir is mounted on a remove machine and you create content in the toplevel.  Does this get labeled as
user_home_t as it should, or does it get labeled user_home_dir_t?   I think this was an effort to fix this. but I am not sure that 
it works, since I think the kernel_t actually creates the content, not nfsd_t.

If someone could setup an experiment.

[refpolicy] services_rpc.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_rpc.patch

Init scripts

gssd request the kernel load modules
gssd sends signals to the kernel
Lists inotify
Sends signals to users

rpcd_t can read default_t for quota files

[refpolicy] services_rpc.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_rpc.patch

Lots of random fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx25+8ACgkQrlYvE4MpobOrlACg1LOCEpSon2zRCktl5zLm4WVj
MTMAoJweKeEmBJZU1r0HrK31KwZO1/x/
=+Mtp
-----END PGP SIGNATURE-----