From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Adding support for the vlock program
Date: Tue, 02 Nov 2010 09:23:20 -0400 [thread overview]
Message-ID: <4CD010C8.2070300@tresys.com> (raw)
In-Reply-To: <20101102075314.GA14177@localhost.localdomain>
On 11/02/10 03:53, Dominick Grift wrote:
> On Tue, Nov 02, 2010 at 07:17:26AM +0000, HarryCiao wrote:
>>
>> Hi Chris,
>>
>>> Date: Mon, 1 Nov 2010 11:28:30 -0400
>>> From: cpebenito at tresys.com
>>> To: harrytaurus2002 at hotmail.com
>>> CC: domg472 at gmail.com; refpolicy at oss.tresys.com
>>> Subject: Re: [refpolicy] Adding support for the vlock program
>>>
>>> On 10/30/10 07:38, TaurusHarry wrote:
>>>> Hi Dom and Christ,
>>>>
>>>> The attached is the v3 vlock.pp compliant with refpolicy coding style,
>>>> tests passed.
>>>>
>>>> Is it good enough for upstream? :-)
>>>
>>> Merged. I renamed the interfaces, and did a little reordering in the TE
>>> file. Is there any reason not to allow other admins (secadm, auditadm,
>>> etc.) to run vlock?
>>>
>>
>> Many thanks for wrapping up the vlock.pp! I am very happy to get a chance to contribute something back to this mailing list.
>>
>> Well, you've got me! Yes, we should have had the auditadm and secadm able to use the vlock program, along with sysadm, staff or unprivileged user. I used to call the vlock_run() in the userdom_common_user_template() (to grant access of vlock to all users in an once-and-for-all way), but got suggested that we should call the run interfaces in the roles/ layer, I just forgot to patch the auditadm and secadm to make them able to use vlock.
>>
>> Well, please find the patch in the attachment, tests passed. Thanks again!
>
> I did not mention those "other" admins because in my vision those should not be login users in the first place.
They still can run in the console if you newrole to them, so they could
still want to lock the console.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2010-11-02 13:23 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-26 9:40 [refpolicy] Adding support for the vlock program TaurusHarry
2010-10-26 11:21 ` Dominick Grift
2010-10-28 8:38 ` TaurusHarry
2010-10-28 8:54 ` Dominick Grift
2010-10-30 11:38 ` TaurusHarry
2010-11-01 15:28 ` Christopher J. PeBenito
2010-11-02 7:17 ` HarryCiao
2010-11-02 7:53 ` Dominick Grift
2010-11-02 13:23 ` Christopher J. PeBenito [this message]
2010-11-02 13:20 ` Christopher J. PeBenito
2010-10-26 12:41 ` Dominick Grift
2010-10-27 8:58 ` TaurusHarry
2010-10-27 10:32 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CD010C8.2070300@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.