[refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy
Date: Mon, 31 Jan 2011 13:52:34 -0500	[thread overview]
Message-ID: <4D4704F2.7080604@tresys.com> (raw)
In-Reply-To: <4D3D8BB5.4010501@gmail.com>

On 1/24/2011 9:24 AM, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:

Please include descriptions on each of your patches.  The subject is 
definitely insufficient.  I guess this is all the dbus changes you 
suggest?  More

>> diff -pruN -x .git refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if
>> --- refpolicy-git-18012011/policy/modules/apps/cpufreqselector.if	2011-01-08 19:07:21.176730930 +0100
>> +++ refpolicy-git-18012011-dbus/policy/modules/apps/cpufreqselector.if	2011-01-23 22:00:15.084140029 +0100
>> @@ -1 +1,42 @@
>>   ##<summary>Command-line CPU frequency settings.</summary>
>> +
[cut]

>> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-dbus/policy/modules/system/logging.if
>> --- refpolicy-git-18012011/policy/modules/system/logging.if	2011-01-08 19:07:21.355759202 +0100
>> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.if	2011-01-23 22:00:15.130147425 +0100
>> @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
>>
>>   ########################################
>>   ##<summary>
>> +##      Send a dbus message to the audit
>> +##      dispatcher.
>> +##</summary>
>> +##<param name="domain">
>> +##<summary>
>> +##      Domain allowed access.
>> +##</summary>
>> +##</param>
>> +#
>> +interface(`logging_dbus_send_dispatcher',`
>> +	gen_require(`
>> +		type audisp_t;
>> +		class dbus send_msg;
>> +	')
>> +
>> +	allow $1 audisp_t:dbus send_msg;
>> +')
>
>
> Not required use logging_dbus_chat_audisp()
>
> Although i doubt that audisp has dbus functionality at all in the first
> place. (i may well be wrong)

I believe the purpose of this dbus functionality is for auditd to send 
(via audisp) a message to setroubleshoot when there is a denial.

>> +########################################
>> +##<summary>
>> +##      Send and receive messages from
>> +##      the audit dispatcher over dbus.
>> +##</summary>
>> +##<param name="domain">
>> +##<summary>
>> +##      Domain allowed access.
>> +##</summary>
>> +##</param>
>> +#
>> +interface(`logging_dbus_chat_dispatcher',`
>> +	gen_require(`
>> +		type audisp_t;
>> +		class dbus send_msg;
>> +	')
>> +
>> +	allow $1 audisp_t:dbus send_msg;
>> +	allow audisp_t $1:dbus send_msg;
>> +')
>> +
>> +########################################
>> +##<summary>
>>   ##	Manage the auditd configuration files.
>>   ##</summary>
>>   ##<param name="domain">
>> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-dbus/policy/modules/system/logging.te
>> --- refpolicy-git-18012011/policy/modules/system/logging.te	2011-01-08 19:07:21.356759360 +0100
>> +++ refpolicy-git-18012011-dbus/policy/modules/system/logging.te	2011-01-23 22:00:15.134148069 +0100
>> @@ -246,6 +246,10 @@ optional_policy(`
>>   	dbus_system_bus_client(audisp_t)
>>   ')
>>
>> +optional_policy(`
>> +	setroubleshoot_dbus_send(audisp_t)
>> +')
>
> This should take care of chatting to audisp_t so the logging interfaces
> above may no longer be needed.
>
> I would have used setroubleshoot_dbus_chat() though

Its unclear, though I would think that send would be sufficient.  I 
don't see a need for there to be a response to audisp.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2011-01-31 18:52 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-01-24  0:43 [refpolicy] [PATCH/RFC 2/19]: patch set to update the git reference policy Guido Trentalancia
2011-01-24 14:24 ` Dominick Grift
2011-01-31 18:52   ` Christopher J. PeBenito [this message]
2011-01-31 23:15     ` Guido Trentalancia
     [not found]       ` <4D48132F.7070705@tresys.com>
2011-02-01 20:03         ` Guido Trentalancia
     [not found]           ` <4D48649C.70000@tresys.com>
2011-02-01 20:59             ` Guido Trentalancia
2011-02-03  0:18       ` Martin Orr
2011-02-03 21:43         ` Guido Trentalancia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D4704F2.7080604@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.