what is /sys/fs/selinux/policy_capabilities/redhat1

what is /sys/fs/selinux/policy_capabilities/redhat1

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


I noticed that object what is it for?

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW9RUqAAoJECV0jlU3+UdpJ9EMALQiArZ4yK9VEUeVysaXrKUc
MHLu0hguRoaOmJjq22bO9xSFHVk+0kdVU5iIKydu7lxTdhzjX1eilaFA/f/pyN0O
rzBwkmK6VXLpp3EA+bpi/+Sqvx76PM6TlU0AO/lecd3mF9wtxAkmeH4MQCiUJfHq
X9aFJe2lsoLPbG+2F1MsROtgWx7FCBd9A4EvcSaZIqaW7ug0vW4z8sCO44vA/Lqh
/ZI/ALPP5Owx+M+rjaJkuczaF0X1OYUSX9PfdDC+PQ0bAnJVVf7LNGP7qDRR0lZn
JkHkRCUrUBdAPzzZ1sQgxH3/yFBr4c9bBfRQHvojaMMbcaGLr9mYgwjRXj8BJg94
a21X3g9XsiBATkgSXQAxwtOZep4r5IGrmWCuv6qh26Fd//Y2l7pQAx3hQ20/GPo9
vJ0WlV1f/YlNKr2mfrA/+F0PQLgZLtugLucNIKdVeBmAM87DX0Kkvyk+9lHloCqF
DlFUcwOa93IN4cMTonFN0jjAv/YwEbFHXFxSNxYEfA==
=6dJN
-----END PGP SIGNATURE-----

Re: what is /sys/fs/selinux/policy_capabilities/redhat1

[Stephen Smalley]

On 03/25/2016 06:38 AM, Dominick Grift wrote:
> 
> I noticed that object what is it for?

Red Hat reserved a policy capability when they were testing
ptrace_child, which they ultimately discarded.  So it is presently
unused and maybe could be reclaimed?  I assume ptrace_child never made
it into any RHEL release?

Oddly, I see that current Fedora policy still defines a ptrace_child
permission in class process, even though the kernel knows nothing about it.

Re: what is /sys/fs/selinux/policy_capabilities/redhat1

[Daniel J Walsh]

On 03/25/2016 08:31 AM, Stephen Smalley wrote:
> On 03/25/2016 06:38 AM, Dominick Grift wrote:
>> I noticed that object what is it for?
> Red Hat reserved a policy capability when they were testing
> ptrace_child, which they ultimately discarded.  So it is presently
> unused and maybe could be reclaimed?  I assume ptrace_child never made
> it into any RHEL release?
>
> Oddly, I see that current Fedora policy still defines a ptrace_child
> permission in class process, even though the kernel knows nothing about it.
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
We should probably drop it.

Re: what is /sys/fs/selinux/policy_capabilities/redhat1

[Paul Moore]

On Fri, Mar 25, 2016 at 9:14 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 03/25/2016 08:31 AM, Stephen Smalley wrote:
>> On 03/25/2016 06:38 AM, Dominick Grift wrote:
>>>
>>> I noticed that object what is it for?
>>
>> Red Hat reserved a policy capability when they were testing
>> ptrace_child, which they ultimately discarded.  So it is presently
>> unused and maybe could be reclaimed?  I assume ptrace_child never made
>> it into any RHEL release?
>>
>> Oddly, I see that current Fedora policy still defines a ptrace_child
>> permission in class process, even though the kernel knows nothing about
>> it.
>
> We should probably drop it.

I just added a note to the BZ below to get the permission removed from
the Fedora policy.

 * https://bugzilla.redhat.com/show_bug.cgi?id=802072

As for the "redhat1" policycap and the kernel, we could remove it, but
I would just assume leave it there until we have a new policycap to
take its place.

-- 
paul moore
www.paul-moore.com