* [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? @ 2011-12-13 18:53 Daniel J Walsh 2011-12-13 19:02 ` Christopher J. PeBenito 0 siblings, 1 reply; 7+ messages in thread From: Daniel J Walsh @ 2011-12-13 18:53 UTC (permalink / raw) To: refpolicy ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? 2011-12-13 18:53 [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? Daniel J Walsh @ 2011-12-13 19:02 ` Christopher J. PeBenito 2011-12-13 20:33 ` Daniel J Walsh 0 siblings, 1 reply; 7+ messages in thread From: Christopher J. PeBenito @ 2011-12-13 19:02 UTC (permalink / raw) To: refpolicy Which patch(es) are blocking that? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? 2011-12-13 19:02 ` Christopher J. PeBenito @ 2011-12-13 20:33 ` Daniel J Walsh 2011-12-15 13:54 ` Christopher J. PeBenito 0 siblings, 1 reply; 7+ messages in thread From: Daniel J Walsh @ 2011-12-13 20:33 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/13/2011 02:02 PM, Christopher J. PeBenito wrote: > Which patch(es) are blocking that? > Add new attributes to define a domain as an homedirreader or homedirwriter. New Policy for sblim New policy for glance from fedora New policy for matahari -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ntoUACgkQrlYvE4MpobN1NQCg5k7qgu3/ZC0PpDwuCkUzo7Nc y+wAnRdEL+XcWjynTV7wFQyKxEwBEFi7 =I5q4 -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: userdomain_homedir_manager.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20111213/86258df5/attachment.pl -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: glance_base.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20111213/86258df5/attachment-0001.pl -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: matahari_base.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20111213/86258df5/attachment-0002.pl -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sblim_base.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20111213/86258df5/attachment-0003.pl ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? 2011-12-13 20:33 ` Daniel J Walsh @ 2011-12-15 13:54 ` Christopher J. PeBenito 2011-12-15 14:56 ` Daniel J Walsh 2011-12-15 19:10 ` Daniel J Walsh 0 siblings, 2 replies; 7+ messages in thread From: Christopher J. PeBenito @ 2011-12-15 13:54 UTC (permalink / raw) To: refpolicy On 12/13/11 15:33, Daniel J Walsh wrote: > On 12/13/2011 02:02 PM, Christopher J. PeBenito wrote: >> Which patch(es) are blocking that? > > Add new attributes to define a domain as an homedirreader or > homedirwriter. I don't agree with the homedirreader and homedirwriter concepts. I think the appropriate way is to abstract all of this noxattr home dir access is to do this for all of the existing interfaces. I would have done this in the first place, if there wasn't the problem with nested conditionals. So for example, take userdom_list_user_home_content. The ideal would be interface(`userdom_list_user_home_content',` gen_require(` type user_home_t; ') allow $1 user_home_t:dir list_dir_perms; tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1) ') tunable_policy(`use_samba_home_dirs',` fs_read_cifs_files($1) ') ') But since this would cause problems if calls to this interface were in a conditional, we couldn't do this. I'd be fine taking an attribute style implementation like you have in this patch, but it would have to be for all of the relevant existing interfaces. That should have the benefit of eliminating all of the use_nfs_home_dirs and use_samba_home_dirs strewn all over the policy. If you skip the relabel, filetrans, domtrans, and dontaudit interfaces, I came up with 19 interfaces. > New Policy for sblim > New policy for glance from fedora > New policy for matahari I've merged these. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? 2011-12-15 13:54 ` Christopher J. PeBenito @ 2011-12-15 14:56 ` Daniel J Walsh 2011-12-16 15:29 ` Christopher J. PeBenito 2011-12-15 19:10 ` Daniel J Walsh 1 sibling, 1 reply; 7+ messages in thread From: Daniel J Walsh @ 2011-12-15 14:56 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/15/2011 08:54 AM, Christopher J. PeBenito wrote: > On 12/13/11 15:33, Daniel J Walsh wrote: >> On 12/13/2011 02:02 PM, Christopher J. PeBenito wrote: >>> Which patch(es) are blocking that? >> >> Add new attributes to define a domain as an homedirreader or >> homedirwriter. > > I don't agree with the homedirreader and homedirwriter concepts. I > think the appropriate way is to abstract all of this noxattr home > dir access is to do this for all of the existing interfaces. I > would have done this in the first place, if there wasn't the > problem with nested conditionals. > > So for example, take userdom_list_user_home_content. The ideal > would be > > interface(`userdom_list_user_home_content',` gen_require(` type > user_home_t; ') > > allow $1 user_home_t:dir list_dir_perms; > > tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1) ') > > tunable_policy(`use_samba_home_dirs',` fs_read_cifs_files($1) ') > ') > > But since this would cause problems if calls to this interface were > in a conditional, we couldn't do this. I'd be fine taking an > attribute style implementation like you have in this patch, but it > would have to be for all of the relevant existing interfaces. That > should have the benefit of eliminating all of the use_nfs_home_dirs > and use_samba_home_dirs strewn all over the policy. If you skip > the relabel, filetrans, domtrans, and dontaudit interfaces, I came > up with 19 interfaces. > Are you doing these or do you want me to? > >> New Policy for sblim New policy for glance from fedora New policy >> for matahari > > I've merged these. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7qCqAACgkQrlYvE4MpobNCxwCgl1yQIHIXumA+SYy9XX1Nlt/v YhcAn1F6Hxv+O4+0fDSnoV6uQ00LutJ0 =Vr46 -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? 2011-12-15 14:56 ` Daniel J Walsh @ 2011-12-16 15:29 ` Christopher J. PeBenito 0 siblings, 0 replies; 7+ messages in thread From: Christopher J. PeBenito @ 2011-12-16 15:29 UTC (permalink / raw) To: refpolicy On 12/15/11 09:56, Daniel J Walsh wrote: > On 12/15/2011 08:54 AM, Christopher J. PeBenito wrote: >> On 12/13/11 15:33, Daniel J Walsh wrote: >>> On 12/13/2011 02:02 PM, Christopher J. PeBenito wrote: >>>> Which patch(es) are blocking that? >>> >>> Add new attributes to define a domain as an homedirreader or >>> homedirwriter. > >> I don't agree with the homedirreader and homedirwriter concepts. I >> think the appropriate way is to abstract all of this noxattr home >> dir access is to do this for all of the existing interfaces. I >> would have done this in the first place, if there wasn't the >> problem with nested conditionals. > >> So for example, take userdom_list_user_home_content. The ideal >> would be > >> interface(`userdom_list_user_home_content',` gen_require(` type >> user_home_t; ') > >> allow $1 user_home_t:dir list_dir_perms; > >> tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1) ') > >> tunable_policy(`use_samba_home_dirs',` fs_read_cifs_files($1) ') >> ') > >> But since this would cause problems if calls to this interface were >> in a conditional, we couldn't do this. I'd be fine taking an >> attribute style implementation like you have in this patch, but it >> would have to be for all of the relevant existing interfaces. That >> should have the benefit of eliminating all of the use_nfs_home_dirs >> and use_samba_home_dirs strewn all over the policy. If you skip >> the relabel, filetrans, domtrans, and dontaudit interfaces, I came >> up with 19 interfaces. > > Are you doing these or do you want me to? I'm going to have to do more thinking about this. Instead of running into the nested conditionals problem, its going to run into the problem of type_attributes in conditionals. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? 2011-12-15 13:54 ` Christopher J. PeBenito 2011-12-15 14:56 ` Daniel J Walsh @ 2011-12-15 19:10 ` Daniel J Walsh 1 sibling, 0 replies; 7+ messages in thread From: Daniel J Walsh @ 2011-12-15 19:10 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/15/2011 08:54 AM, Christopher J. PeBenito wrote: > On 12/13/11 15:33, Daniel J Walsh wrote: >> On 12/13/2011 02:02 PM, Christopher J. PeBenito wrote: >>> Which patch(es) are blocking that? >> >> Add new attributes to define a domain as an homedirreader or >> homedirwriter. > > I don't agree with the homedirreader and homedirwriter concepts. I > think the appropriate way is to abstract all of this noxattr home > dir access is to do this for all of the existing interfaces. I > would have done this in the first place, if there wasn't the > problem with nested conditionals. > > So for example, take userdom_list_user_home_content. The ideal > would be > > interface(`userdom_list_user_home_content',` gen_require(` type > user_home_t; ') > > allow $1 user_home_t:dir list_dir_perms; > > tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1) ') > > tunable_policy(`use_samba_home_dirs',` fs_read_cifs_files($1) ') > ') > > But since this would cause problems if calls to this interface were > in a conditional, we couldn't do this. I'd be fine taking an > attribute style implementation like you have in this patch, but it > would have to be for all of the relevant existing interfaces. That > should have the benefit of eliminating all of the use_nfs_home_dirs > and use_samba_home_dirs strewn all over the policy. If you skip > the relabel, filetrans, domtrans, and dontaudit interfaces, I came > up with 19 interfaces. > > >> New Policy for sblim New policy for glance from fedora New policy >> for matahari > > I've merged these. > One other comment on the homemanager stuff. I don't think it is as easy to say just if you use a userdom_*_home interface, since in a lot of cases confined domains might only be allowed to manage a labeled file in the homedir. For example sshd_t can only read ssh_home_t but would still be a userhomereader. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7qRhEACgkQrlYvE4MpobNhJgCfTb7cLW0uKo+oIbUxClgljx5N xpAAoKxmbmhETsTKU5K0j4Nm15RBUjzW =VwXj -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-12-16 15:29 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-12-13 18:53 [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? Daniel J Walsh 2011-12-13 19:02 ` Christopher J. PeBenito 2011-12-13 20:33 ` Daniel J Walsh 2011-12-15 13:54 ` Christopher J. PeBenito 2011-12-15 14:56 ` Daniel J Walsh 2011-12-16 15:29 ` Christopher J. PeBenito 2011-12-15 19:10 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.