* [refpolicy] apps_livecd.patch
@ 2009-03-04 21:39 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2009-03-04 21:39 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_livecd.patch
Policy added to allow us to create livecd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmu9SEACgkQrlYvE4MpobMuzwCgmWvPRxszmnmnPfGD635c5mbj
UL8AoMJKXJmImboQNeOMcO5nzSxEVBwV
=rKeN
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
@ 2009-05-21 13:55 Daniel J Walsh
2009-07-21 14:11 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-05-21 13:55 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_livecd.patch
Policy for the livecd command, allows the creation of images for
different OS Versions then the host machine.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
2009-05-21 13:55 Daniel J Walsh
@ 2009-07-21 14:11 ` Christopher J. PeBenito
2009-07-21 14:44 ` Daniel J Walsh
0 siblings, 1 reply; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-07-21 14:11 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-05-21 at 09:55 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_livecd.patch
>
> Policy for the livecd command, allows the creation of images for
> different OS Versions then the host machine.
I don't understand why this needs its own policy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
2009-07-21 14:11 ` Christopher J. PeBenito
@ 2009-07-21 14:44 ` Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2009-07-21 14:44 UTC (permalink / raw)
To: refpolicy
On 07/21/2009 10:11 AM, Christopher J. PeBenito wrote:
> On Thu, 2009-05-21 at 09:55 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_livecd.patch
>>
>> Policy for the livecd command, allows the creation of images for
>> different OS Versions then the host machine.
>
> I don't understand why this needs its own policy.
>
livecd policy is used to allow it to apply labels that the host machine does not understand. So if I am running livecd on a F10 box, and I want to build a livecd for F11, livecd will write context that F10 does not understand. It should be the only process allowed to write these labels.
seutil_domtrans_setfiles_mac(livecd_t)
Is the key.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
@ 2009-08-28 20:07 Daniel J Walsh
2009-09-10 13:09 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-08-28 20:07 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/apps_livecd.patch
Policy to allow livecd to create alternative os on host os. ALlows mac_override.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
2009-08-28 20:07 Daniel J Walsh
@ 2009-09-10 13:09 ` Christopher J. PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-09-10 13:09 UTC (permalink / raw)
To: refpolicy
On Fri, 2009-08-28 at 16:07 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/apps_livecd.patch
>
> Policy to allow livecd to create alternative os on host os. ALlows
> mac_override.
You say it allows mac_override, but its dontaudited in the policy?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
@ 2009-11-12 20:46 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2009-11-12 20:46 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/apps_livecd.patch
Policy for livecd to allow it to create livecd with selinux enabled and different policy then the host machine.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
@ 2010-02-23 19:27 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2010-02-23 19:27 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/apps_livecd.patch
livecd creator policy.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
@ 2010-06-02 20:07 Daniel J Walsh
2010-07-07 14:29 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:07 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_livecd.patch
Policy for livecd tool to allow it to build alternate livecd for
different os and policy versions.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
2010-06-02 20:07 [refpolicy] apps_livecd.patch Daniel J Walsh
@ 2010-07-07 14:29 ` Christopher J. PeBenito
2010-07-07 14:31 ` Dominick Grift
0 siblings, 1 reply; 15+ messages in thread
From: Christopher J. PeBenito @ 2010-07-07 14:29 UTC (permalink / raw)
To: refpolicy
On 06/02/10 16:07, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_livecd.patch
>
> Policy for livecd tool to allow it to build alternate livecd for
> different os and policy versions.
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
2010-07-07 14:29 ` Christopher J. PeBenito
@ 2010-07-07 14:31 ` Dominick Grift
2010-07-12 14:43 ` Daniel J Walsh
0 siblings, 1 reply; 15+ messages in thread
From: Dominick Grift @ 2010-07-07 14:31 UTC (permalink / raw)
To: refpolicy
On 07/07/2010 04:29 PM, Christopher J. PeBenito wrote:
> On 06/02/10 16:07, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_livecd.patch
>>
>> Policy for livecd tool to allow it to build alternate livecd for
>> different os and policy versions.
>
> Merged.
>
This policy has a bug:
+seutil_domtrans_setfiles_mac(livecd_t)
should be: seutil_run_setfiles_mac(livecd_t, system_r)
Because else you will hit a constraint (no role is allowed the
setfiles_mac_t domain)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100707/214aa44c/attachment.bin
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
2010-07-07 14:31 ` Dominick Grift
@ 2010-07-12 14:43 ` Daniel J Walsh
2010-07-12 14:51 ` Dominick Grift
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2010-07-12 14:43 UTC (permalink / raw)
To: refpolicy
On 07/07/2010 10:31 AM, Dominick Grift wrote:
> On 07/07/2010 04:29 PM, Christopher J. PeBenito wrote:
>> On 06/02/10 16:07, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_livecd.patch
>>>
>>> Policy for livecd tool to allow it to build alternate livecd for
>>> different os and policy versions.
>>
>> Merged.
>>
>
> This policy has a bug:
>
> +seutil_domtrans_setfiles_mac(livecd_t)
>
> should be: seutil_run_setfiles_mac(livecd_t, system_r)
>
Actually, it should be removed since the proper code is in livecd_run.
Currently we don't allow system (init) processes to run this domain.
> Because else you will hit a constraint (no role is allowed the
> setfiles_mac_t domain)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
2010-07-12 14:43 ` Daniel J Walsh
@ 2010-07-12 14:51 ` Dominick Grift
2010-07-12 17:33 ` Daniel J Walsh
0 siblings, 1 reply; 15+ messages in thread
From: Dominick Grift @ 2010-07-12 14:51 UTC (permalink / raw)
To: refpolicy
On 07/12/2010 04:43 PM, Daniel J Walsh wrote:
> On 07/07/2010 10:31 AM, Dominick Grift wrote:
>> On 07/07/2010 04:29 PM, Christopher J. PeBenito wrote:
>>> On 06/02/10 16:07, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_livecd.patch
>>>>
>>>> Policy for livecd tool to allow it to build alternate livecd for
>>>> different os and policy versions.
>>>
>>> Merged.
>>>
>>
>> This policy has a bug:
>>
>> +seutil_domtrans_setfiles_mac(livecd_t)
>>
>> should be: seutil_run_setfiles_mac(livecd_t, system_r)
>>
> Actually, it should be removed since the proper code is in livecd_run.
Then what is this for:
role system_r types livecd_t;
Also:
http://lists.fedoraproject.org/pipermail/selinux/2010-June/012699.html
> Currently we don't allow system (init) processes to run this domain.
>
>> Because else you will hit a constraint (no role is allowed the
>> setfiles_mac_t domain)
>>
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100712/99a8910c/attachment.bin
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
2010-07-12 14:51 ` Dominick Grift
@ 2010-07-12 17:33 ` Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2010-07-12 17:33 UTC (permalink / raw)
To: refpolicy
On 07/12/2010 10:51 AM, Dominick Grift wrote:
> On 07/12/2010 04:43 PM, Daniel J Walsh wrote:
>> On 07/07/2010 10:31 AM, Dominick Grift wrote:
>>> On 07/07/2010 04:29 PM, Christopher J. PeBenito wrote:
>>>> On 06/02/10 16:07, Daniel J Walsh wrote:
>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_livecd.patch
>>>>>
>>>>> Policy for livecd tool to allow it to build alternate livecd for
>>>>> different os and policy versions.
>>>>
>>>> Merged.
>>>>
>>>
>>> This policy has a bug:
>>>
>>> +seutil_domtrans_setfiles_mac(livecd_t)
>>>
>>> should be: seutil_run_setfiles_mac(livecd_t, system_r)
>>>
>> Actually, it should be removed since the proper code is in livecd_run.
>
> Then what is this for:
> role system_r types livecd_t;
>
Probably should not be there. sepolgen added it. I guess we could
allow some tool to generate livecd via init scripts. cobbler? But the
policy should then be livecd_run(cobbler_t, system_r)
> Also:
>
> http://lists.fedoraproject.org/pipermail/selinux/2010-June/012699.html
>
>
>> Currently we don't allow system (init) processes to run this domain.
>>
>>> Because else you will hit a constraint (no role is allowed the
>>> setfiles_mac_t domain)
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_livecd.patch
@ 2010-08-26 22:38 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:38 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_livecd.patch
Needs to run setfiles_mac
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx27O4ACgkQrlYvE4MpobOdpACdGl23dfEoF0YPPzFKGMm2q4E9
VaAAoNt4irlKO4gLXvpdKkiaknju/5ya
=+pKX
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2010-08-26 22:38 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-02 20:07 [refpolicy] apps_livecd.patch Daniel J Walsh
2010-07-07 14:29 ` Christopher J. PeBenito
2010-07-07 14:31 ` Dominick Grift
2010-07-12 14:43 ` Daniel J Walsh
2010-07-12 14:51 ` Dominick Grift
2010-07-12 17:33 ` Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 22:38 Daniel J Walsh
2010-02-23 19:27 Daniel J Walsh
2009-11-12 20:46 Daniel J Walsh
2009-08-28 20:07 Daniel J Walsh
2009-09-10 13:09 ` Christopher J. PeBenito
2009-05-21 13:55 Daniel J Walsh
2009-07-21 14:11 ` Christopher J. PeBenito
2009-07-21 14:44 ` Daniel J Walsh
2009-03-04 21:39 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.