* [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t
@ 2012-09-11 23:31 Laurent Bigonville
2012-09-11 23:31 ` [refpolicy] [PATCH 2/2] Add Debian location for accounts-daemon daemon Laurent Bigonville
2012-09-12 16:49 ` [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t Dominick Grift
0 siblings, 2 replies; 8+ messages in thread
From: Laurent Bigonville @ 2012-09-11 23:31 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
mdadm is now creating map file under /run/mdadm/map
---
raid.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/raid.fc b/raid.fc
index ed9c70d..e3c8bfb 100644
--- a/raid.fc
+++ b/raid.fc
@@ -4,3 +4,4 @@
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 2/2] Add Debian location for accounts-daemon daemon
2012-09-11 23:31 [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t Laurent Bigonville
@ 2012-09-11 23:31 ` Laurent Bigonville
2012-09-13 12:18 ` Dominick Grift
2012-09-12 16:49 ` [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t Dominick Grift
1 sibling, 1 reply; 8+ messages in thread
From: Laurent Bigonville @ 2012-09-11 23:31 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
accountsd.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/accountsd.fc b/accountsd.fc
index 1adca53..414e917 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,3 +1,7 @@
/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+')
+
/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t
2012-09-11 23:31 [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t Laurent Bigonville
2012-09-11 23:31 ` [refpolicy] [PATCH 2/2] Add Debian location for accounts-daemon daemon Laurent Bigonville
@ 2012-09-12 16:49 ` Dominick Grift
2012-09-13 15:36 ` Daniel J Walsh
1 sibling, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2012-09-12 16:49 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> mdadm is now creating map file under /run/mdadm/map
> ---
> raid.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/raid.fc b/raid.fc
> index ed9c70d..e3c8bfb 100644
> --- a/raid.fc
> +++ b/raid.fc
> @@ -4,3 +4,4 @@
> /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
>
> /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
> +/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
I think its probably best to drop mdadm_map_t and make it an alias of
mdadm_var_run_t instead
I have some changes from both myself and fedora for raid module in the
pipeline.
It sucks though because both fedora as well as refpolicy made mdadm_t a
unconfined type. That basically makes it almost impossible for us to
develop it further and receive feedback on it.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 2/2] Add Debian location for accounts-daemon daemon
2012-09-11 23:31 ` [refpolicy] [PATCH 2/2] Add Debian location for accounts-daemon daemon Laurent Bigonville
@ 2012-09-13 12:18 ` Dominick Grift
0 siblings, 0 replies; 8+ messages in thread
From: Dominick Grift @ 2012-09-13 12:18 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
> accountsd.fc | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/accountsd.fc b/accountsd.fc
> index 1adca53..414e917 100644
> --- a/accountsd.fc
> +++ b/accountsd.fc
> @@ -1,3 +1,7 @@
> /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
>
> +ifdef(`distro_debian',`
> +/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
> +')
> +
> /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
This was merged, thanks
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t
2012-09-12 16:49 ` [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t Dominick Grift
@ 2012-09-13 15:36 ` Daniel J Walsh
2012-09-13 16:09 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: Daniel J Walsh @ 2012-09-13 15:36 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/12/2012 12:49 PM, Dominick Grift wrote:
>
>
> On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
>> From: Laurent Bigonville <bigon@bigon.be>
>>
>> mdadm is now creating map file under /run/mdadm/map --- raid.fc | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/raid.fc b/raid.fc index ed9c70d..e3c8bfb 100644 ---
>> a/raid.fc +++ b/raid.fc @@ -4,3 +4,4 @@ /sbin/mdmpd --
>> gen_context(system_u:object_r:mdadm_exec_t,s0)
>>
>> /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
>> +/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
>
> I think its probably best to drop mdadm_map_t and make it an alias of
> mdadm_var_run_t instead
>
> I have some changes from both myself and fedora for raid module in the
> pipeline.
>
> It sucks though because both fedora as well as refpolicy made mdadm_t a
> unconfined type. That basically makes it almost impossible for us to
> develop it further and receive feedback on it.
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
Dominick lets turn that off in Rawhide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBR/Y8ACgkQrlYvE4MpobO3CQCgqM77dqA/OM9r7a16r7PNfAHP
rnwAoNCHmqHjQmcN/g1eQj4vj7MlMhSi
=2osU
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t
2012-09-13 15:36 ` Daniel J Walsh
@ 2012-09-13 16:09 ` Dominick Grift
2012-09-13 17:42 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2012-09-13 16:09 UTC (permalink / raw)
To: refpolicy
On Thu, 2012-09-13 at 11:36 -0400, Daniel J Walsh wrote:
> On 09/12/2012 12:49 PM, Dominick Grift wrote:
> >
> >
> > On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
> >> From: Laurent Bigonville <bigon@bigon.be>
> >>
> >> mdadm is now creating map file under /run/mdadm/map --- raid.fc | 1 +
> >> 1 file changed, 1 insertion(+)
> >>
> >> diff --git a/raid.fc b/raid.fc index ed9c70d..e3c8bfb 100644 ---
> >> a/raid.fc +++ b/raid.fc @@ -4,3 +4,4 @@ /sbin/mdmpd --
> >> gen_context(system_u:object_r:mdadm_exec_t,s0)
> >>
> >> /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
> >> +/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
> >
> > I think its probably best to drop mdadm_map_t and make it an alias of
> > mdadm_var_run_t instead
> >
> > I have some changes from both myself and fedora for raid module in the
> > pipeline.
> >
> > It sucks though because both fedora as well as refpolicy made mdadm_t a
> > unconfined type. That basically makes it almost impossible for us to
> > develop it further and receive feedback on it.
> >
> > _______________________________________________ refpolicy mailing list
> > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> Dominick lets turn that off in Rawhide.
>
That is a good idea. I would like to hear pebenito' opinion about
removing it in refpolicy as well.
what caused refpolicy to make mdadm_t a unconfined domain in the first
place?
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t
2012-09-13 16:09 ` Dominick Grift
@ 2012-09-13 17:42 ` Christopher J. PeBenito
2012-09-14 15:30 ` Sven Vermeulen
0 siblings, 1 reply; 8+ messages in thread
From: Christopher J. PeBenito @ 2012-09-13 17:42 UTC (permalink / raw)
To: refpolicy
On 09/13/12 12:09, Dominick Grift wrote:
>
>
> On Thu, 2012-09-13 at 11:36 -0400, Daniel J Walsh wrote:
>> On 09/12/2012 12:49 PM, Dominick Grift wrote:
>>>
>>>
>>> On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
>>>> From: Laurent Bigonville <bigon@bigon.be>
>>>>
>>>> mdadm is now creating map file under /run/mdadm/map --- raid.fc | 1 +
>>>> 1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/raid.fc b/raid.fc index ed9c70d..e3c8bfb 100644 ---
>>>> a/raid.fc +++ b/raid.fc @@ -4,3 +4,4 @@ /sbin/mdmpd --
>>>> gen_context(system_u:object_r:mdadm_exec_t,s0)
>>>>
>>>> /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
>>>> +/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
>>>
>>> I think its probably best to drop mdadm_map_t and make it an alias of
>>> mdadm_var_run_t instead
>>>
>>> I have some changes from both myself and fedora for raid module in the
>>> pipeline.
>>>
>>> It sucks though because both fedora as well as refpolicy made mdadm_t a
>>> unconfined type. That basically makes it almost impossible for us to
>>> develop it further and receive feedback on it.
>>>
>> Dominick lets turn that off in Rawhide.
>>
>
> That is a good idea. I would like to hear pebenito' opinion about
> removing it in refpolicy as well.
>
> what caused refpolicy to make mdadm_t a unconfined domain in the first
> place?
I'm fine with it. I suspect its a remnant of the original targeted policy where only network-facing services were confined.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t
2012-09-13 17:42 ` Christopher J. PeBenito
@ 2012-09-14 15:30 ` Sven Vermeulen
0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen @ 2012-09-14 15:30 UTC (permalink / raw)
To: refpolicy
On Sep 13, 2012 7:43 PM, "Christopher J. PeBenito" <cpebenito@tresys.com>
wrote:
> I'm fine with it. I suspect its a remnant of the original targeted
policy where only network-facing services were confined.
We have been running without unconfined in Gentoo on quite a few systems
with raid and swraid with little additional patches on the domain. I even
think without patches, but don't have access to the patch list currently to
verify.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20120914/747e36d2/attachment.html
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2012-09-14 15:30 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-11 23:31 [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t Laurent Bigonville
2012-09-11 23:31 ` [refpolicy] [PATCH 2/2] Add Debian location for accounts-daemon daemon Laurent Bigonville
2012-09-13 12:18 ` Dominick Grift
2012-09-12 16:49 ` [refpolicy] [PATCH 1/2] Label /var/run/mdadm/map as mdadm_map_t Dominick Grift
2012-09-13 15:36 ` Daniel J Walsh
2012-09-13 16:09 ` Dominick Grift
2012-09-13 17:42 ` Christopher J. PeBenito
2012-09-14 15:30 ` Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.