[refpolicy] system_daemontools.patch

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] system_daemontools.patch
@ 2010-02-23 22:01 Daniel J Walsh
  2010-03-04 16:16 ` Christopher J. PeBenito
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2010-02-23 22:01 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch

+    daemonstools_run_start(sysadm_t, sysadm_r)
+    daemontools_search_svc_dir(syslogd_t)
+    daemontools_sigchld_run(ucspitcp_t)

svc_run needs sys_resource
reads urand

writes to console

Other access required.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] system_daemontools.patch
  2010-02-23 22:01 [refpolicy] system_daemontools.patch Daniel J Walsh
@ 2010-03-04 16:16 ` Christopher J. PeBenito
  2010-03-04 16:19   ` Daniel J Walsh
  0 siblings, 1 reply; 7+ messages in thread
From: Christopher J. PeBenito @ 2010-03-04 16:16 UTC (permalink / raw)
  To: refpolicy

On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch
> 
> +    daemonstools_run_start(sysadm_t, sysadm_r)
> +    daemontools_search_svc_dir(syslogd_t)
> +    daemontools_sigchld_run(ucspitcp_t)
> 
> svc_run needs sys_resource
> reads urand
> 
> writes to console
> 
> Other access required.

Why is this network access needed:

+allow svc_start_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)

a quick glance through the code didn't indicate any network access.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] system_daemontools.patch
  2010-03-04 16:16 ` Christopher J. PeBenito
@ 2010-03-04 16:19   ` Daniel J Walsh
  2010-03-04 17:36     ` Dominick Grift
  2010-03-05  8:05     ` Miroslav Grepl
  0 siblings, 2 replies; 7+ messages in thread
From: Daniel J Walsh @ 2010-03-04 16:19 UTC (permalink / raw)
  To: refpolicy

On 03/04/2010 11:16 AM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
>    
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch
>>
>> +    daemonstools_run_start(sysadm_t, sysadm_r)
>> +    daemontools_search_svc_dir(syslogd_t)
>> +    daemontools_sigchld_run(ucspitcp_t)
>>
>> svc_run needs sys_resource
>> reads urand
>>
>> writes to console
>>
>> Other access required.
>>      
> Why is this network access needed:
>
> +allow svc_start_t self:tcp_socket create_stream_socket_perms;
> +corenet_tcp_bind_generic_node(svc_start_t)
> +corenet_tcp_bind_generic_port(svc_start_t)
>
> a quick glance through the code didn't indicate any network access.
>
>    
I have no idea.  I did not write this one.  Miroslav or Dominick?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] system_daemontools.patch
  2010-03-04 16:19   ` Daniel J Walsh
@ 2010-03-04 17:36     ` Dominick Grift
  2010-03-05  8:05     ` Miroslav Grepl
  1 sibling, 0 replies; 7+ messages in thread
From: Dominick Grift @ 2010-03-04 17:36 UTC (permalink / raw)
  To: refpolicy

On 03/04/2010 05:19 PM, Daniel J Walsh wrote:
> I have no idea.  I did not write this one.  Miroslav or Dominick?

I did not propose it either. I wish Fedora would use git, that way we
could just look up the committee of this.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100304/f2e4f893/attachment.bin 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] system_daemontools.patch
  2010-03-04 16:19   ` Daniel J Walsh
  2010-03-04 17:36     ` Dominick Grift
@ 2010-03-05  8:05     ` Miroslav Grepl
  2010-03-08 13:47       ` Christopher J. PeBenito
  1 sibling, 1 reply; 7+ messages in thread
From: Miroslav Grepl @ 2010-03-05  8:05 UTC (permalink / raw)
  To: refpolicy

On 03/04/2010 05:19 PM, Daniel J Walsh wrote:
> On 03/04/2010 11:16 AM, Christopher J. PeBenito wrote:
>> On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch 
>>>
>>>
>>> +    daemonstools_run_start(sysadm_t, sysadm_r)
>>> +    daemontools_search_svc_dir(syslogd_t)
>>> +    daemontools_sigchld_run(ucspitcp_t)
>>>
>>> svc_run needs sys_resource
>>> reads urand
>>>
>>> writes to console
>>>
>>> Other access required.
>> Why is this network access needed:
>>
>> +allow svc_start_t self:tcp_socket create_stream_socket_perms;
>> +corenet_tcp_bind_generic_node(svc_start_t)
>> +corenet_tcp_bind_generic_port(svc_start_t)
>>
>> a quick glance through the code didn't indicate any network access.
>>
> I have no idea.  I did not write this one.  Miroslav or Dominick?
Ok, I am a culprit. We got this as a part of bug and people needed to 
add a local module with these rules to fix policy issues.

Regards,
Miroslav

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] system_daemontools.patch
  2010-03-05  8:05     ` Miroslav Grepl
@ 2010-03-08 13:47       ` Christopher J. PeBenito
  0 siblings, 0 replies; 7+ messages in thread
From: Christopher J. PeBenito @ 2010-03-08 13:47 UTC (permalink / raw)
  To: refpolicy

On Fri, 2010-03-05 at 09:05 +0100, Miroslav Grepl wrote:
> On 03/04/2010 05:19 PM, Daniel J Walsh wrote:
> > On 03/04/2010 11:16 AM, Christopher J. PeBenito wrote:
> >> On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
> >>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch 
> >>>
> >>>
> >>> +    daemonstools_run_start(sysadm_t, sysadm_r)
> >>> +    daemontools_search_svc_dir(syslogd_t)
> >>> +    daemontools_sigchld_run(ucspitcp_t)
> >>>
> >>> svc_run needs sys_resource
> >>> reads urand
> >>>
> >>> writes to console
> >>>
> >>> Other access required.
> >> Why is this network access needed:
> >>
> >> +allow svc_start_t self:tcp_socket create_stream_socket_perms;
> >> +corenet_tcp_bind_generic_node(svc_start_t)
> >> +corenet_tcp_bind_generic_port(svc_start_t)
> >>
> >> a quick glance through the code didn't indicate any network access.
> >>
> > I have no idea.  I did not write this one.  Miroslav or Dominick?
> Ok, I am a culprit. We got this as a part of bug and people needed to 
> add a local module with these rules to fix policy issues.

Do you have any info as to why?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] system_daemontools.patch
@ 2010-08-26 23:30 Daniel J Walsh
  0 siblings, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2010-08-26 23:30 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/system_daemontools.patch

+    daemonstools_run_start(sysadm_t, sysadm_r)
daemontools_sigchld_run(ucspitcp_t)


svc run and svc start need additional access
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx2+RcACgkQrlYvE4MpobOLWACg2NXeoEwYRT+3tWPXdaGCPnCk
T2sAniHqxNBCJU/fDZKIEkOzeWyUb/KJ
=8V6m
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2010-08-26 23:30 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-23 22:01 [refpolicy] system_daemontools.patch Daniel J Walsh
2010-03-04 16:16 ` Christopher J. PeBenito
2010-03-04 16:19   ` Daniel J Walsh
2010-03-04 17:36     ` Dominick Grift
2010-03-05  8:05     ` Miroslav Grepl
2010-03-08 13:47       ` Christopher J. PeBenito
  -- strict thread matches above, loose matches on Subject: below --
2010-08-26 23:30 Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.