From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 39/39] unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined)
Date: Tue, 3 Dec 2013 08:53:11 -0500 [thread overview]
Message-ID: <529DE247.2080807@tresys.com> (raw)
In-Reply-To: <1383990320-3340-39-git-send-email-dominick.grift@gmail.com>
On 11/09/13 04:45, Dominick Grift wrote:
> It would not be sufficient in the current shape anyways because
> unconfined_r is not associated with xserver_t
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/unconfined.te | 4 ----
> 1 file changed, 4 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 4e4a4c5..bb1696d 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -198,10 +198,6 @@ optional_policy(`
> wine_domtrans(unconfined_t)
> ')
>
> -optional_policy(`
> - xserver_domtrans(unconfined_t)
> -')
> -
> ########################################
> #
> # Unconfined Execmem Local policy
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2013-12-03 13:53 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
2013-11-09 9:44 ` [refpolicy] [PATCH 02/39] udev: this fc spec does not make sense, as there is no corresponding file type transition for it Dominick Grift
2013-12-03 13:47 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 03/39] userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients Dominick Grift
2013-12-03 18:29 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 04/39] udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon Dominick Grift
2013-12-03 13:47 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 05/39] authlogin: unix_chkpwd traverses / on sysfs device on Debian Dominick Grift
2013-12-03 13:48 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 06/39] setrans: mcstransd reads filesystems file in /proc Dominick Grift
2013-12-03 13:48 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 07/39] setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian Dominick Grift
2013-12-03 18:30 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 08/39] These { read write } tty_device_t chr files on boot up " Dominick Grift
2013-12-03 18:30 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian Dominick Grift
2013-11-10 19:33 ` Luis Ressel
2013-11-10 20:58 ` Dominick Grift
2013-11-11 14:21 ` Daniel J Walsh
2013-11-09 9:44 ` [refpolicy] [PATCH 10/39] udev: udevd executable location changed Dominick Grift
2013-12-03 18:30 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 11/39] udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf Dominick Grift
2013-12-03 13:48 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 12/39] lvm: lvm writes read_ahead_kb Dominick Grift
2013-12-03 18:30 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian Dominick Grift
2013-12-06 14:50 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 14/39] fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock Dominick Grift
2013-12-03 13:49 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 15/39] sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf Dominick Grift
2013-12-03 13:49 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 16/39] iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian Dominick Grift
2013-12-06 14:50 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 17/39] init: This should make transitions to init_script_domains() work for direct_sysadm_daemon Dominick Grift
2013-11-09 9:44 ` [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well Dominick Grift
2013-12-06 13:50 ` Christopher J. PeBenito
2013-12-06 14:33 ` Dominick Grift
2013-11-09 9:45 ` [refpolicy] [PATCH 19/39] users: associate the system_r role to unconfined_u identity conditionally ( direct_sysadm_daemon ) Dominick Grift
2013-12-06 14:28 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 20/39] init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role Dominick Grift
2013-12-10 15:40 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 21/39] init: init_script_domain() allow system_r role the init script domain type Dominick Grift
2013-12-10 15:40 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 22/39] sysbnetwork: dhclient searches /var/lib/ntp Dominick Grift
2013-12-03 13:51 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 23/39] Initial local_home_t implementation Dominick Grift
2013-11-09 9:45 ` [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover Dominick Grift
2013-12-06 13:34 ` Christopher J. PeBenito
2013-12-06 13:56 ` Dominick Grift
2013-12-06 13:59 ` Daniel J Walsh
2013-12-06 14:29 ` Dominick Grift
2013-12-06 15:35 ` Daniel J Walsh
2013-11-09 9:45 ` [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed Dominick Grift
2013-12-06 13:28 ` Christopher J. PeBenito
2013-12-06 13:49 ` Dominick Grift
2013-12-06 14:21 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 26/39] init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs Dominick Grift
2013-12-10 15:41 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 27/39] libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans Dominick Grift
2013-12-06 14:50 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file Dominick Grift
2013-12-14 18:24 ` Dominick Grift
2014-02-06 19:56 ` Laurent Bigonville
2014-02-07 8:15 ` Dominick Grift
2013-11-09 9:45 ` [refpolicy] [PATCH 29/39] init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file Dominick Grift
2013-12-20 19:56 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 30/39] init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files Dominick Grift
2013-12-20 19:56 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 31/39] udev: in debian udevadm is located in /bin/udevadm Dominick Grift
2013-11-09 9:45 ` [refpolicy] [PATCH 32/39] sshd/setrans: make respective init scripts create pid dirs with proper contexts Dominick Grift
2013-12-03 13:51 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 33/39] kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni Dominick Grift
2013-12-03 13:52 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces: Dominick Grift
2013-12-20 19:56 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 35/39] users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t Dominick Grift
2013-12-06 14:50 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 36/39] init: creates /run/utmp Dominick Grift
2013-12-10 15:41 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 37/39] xserver: already allowed by auth_login_pgm_domain(xdm_t) Dominick Grift
2013-12-03 13:52 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 38/39] xserver: review this Dominick Grift
2013-12-05 14:21 ` Christopher J. PeBenito
2013-12-05 14:24 ` Daniel J Walsh
2013-12-06 16:22 ` Sven Vermeulen
2013-12-06 16:32 ` Dominick Grift
2013-11-09 9:45 ` [refpolicy] [PATCH 39/39] unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined) Dominick Grift
2013-12-03 13:53 ` Christopher J. PeBenito [this message]
2013-12-03 13:46 ` [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=529DE247.2080807@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.