what is /sys/fs/selinux/policy_capabilities/redhat1

All of lore.kernel.org
 help / color / mirror / Atom feed

* what is /sys/fs/selinux/policy_capabilities/redhat1
@ 2016-03-25 10:38 Dominick Grift
  2016-03-25 12:31 ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2016-03-25 10:38 UTC (permalink / raw)
  To: selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


I noticed that object what is it for?

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW9RUqAAoJECV0jlU3+UdpJ9EMALQiArZ4yK9VEUeVysaXrKUc
MHLu0hguRoaOmJjq22bO9xSFHVk+0kdVU5iIKydu7lxTdhzjX1eilaFA/f/pyN0O
rzBwkmK6VXLpp3EA+bpi/+Sqvx76PM6TlU0AO/lecd3mF9wtxAkmeH4MQCiUJfHq
X9aFJe2lsoLPbG+2F1MsROtgWx7FCBd9A4EvcSaZIqaW7ug0vW4z8sCO44vA/Lqh
/ZI/ALPP5Owx+M+rjaJkuczaF0X1OYUSX9PfdDC+PQ0bAnJVVf7LNGP7qDRR0lZn
JkHkRCUrUBdAPzzZ1sQgxH3/yFBr4c9bBfRQHvojaMMbcaGLr9mYgwjRXj8BJg94
a21X3g9XsiBATkgSXQAxwtOZep4r5IGrmWCuv6qh26Fd//Y2l7pQAx3hQ20/GPo9
vJ0WlV1f/YlNKr2mfrA/+F0PQLgZLtugLucNIKdVeBmAM87DX0Kkvyk+9lHloCqF
DlFUcwOa93IN4cMTonFN0jjAv/YwEbFHXFxSNxYEfA==
=6dJN
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: what is /sys/fs/selinux/policy_capabilities/redhat1
  2016-03-25 10:38 what is /sys/fs/selinux/policy_capabilities/redhat1 Dominick Grift
@ 2016-03-25 12:31 ` Stephen Smalley
  2016-03-25 13:14   ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2016-03-25 12:31 UTC (permalink / raw)
  To: Dominick Grift, selinux, Eric Paris, Paul Moore, Daniel J Walsh

On 03/25/2016 06:38 AM, Dominick Grift wrote:
> 
> I noticed that object what is it for?

Red Hat reserved a policy capability when they were testing
ptrace_child, which they ultimately discarded.  So it is presently
unused and maybe could be reclaimed?  I assume ptrace_child never made
it into any RHEL release?

Oddly, I see that current Fedora policy still defines a ptrace_child
permission in class process, even though the kernel knows nothing about it.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: what is /sys/fs/selinux/policy_capabilities/redhat1
  2016-03-25 12:31 ` Stephen Smalley
@ 2016-03-25 13:14   ` Daniel J Walsh
  2016-03-28  1:16     ` Paul Moore
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2016-03-25 13:14 UTC (permalink / raw)
  To: Stephen Smalley, Dominick Grift, selinux, Eric Paris, Paul Moore



On 03/25/2016 08:31 AM, Stephen Smalley wrote:
> On 03/25/2016 06:38 AM, Dominick Grift wrote:
>> I noticed that object what is it for?
> Red Hat reserved a policy capability when they were testing
> ptrace_child, which they ultimately discarded.  So it is presently
> unused and maybe could be reclaimed?  I assume ptrace_child never made
> it into any RHEL release?
>
> Oddly, I see that current Fedora policy still defines a ptrace_child
> permission in class process, even though the kernel knows nothing about it.
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
We should probably drop it.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: what is /sys/fs/selinux/policy_capabilities/redhat1
  2016-03-25 13:14   ` Daniel J Walsh
@ 2016-03-28  1:16     ` Paul Moore
  0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2016-03-28  1:16 UTC (permalink / raw)
  To: Daniel J Walsh, mgrepl
  Cc: Stephen Smalley, Dominick Grift, selinux, Eric Paris

On Fri, Mar 25, 2016 at 9:14 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 03/25/2016 08:31 AM, Stephen Smalley wrote:
>> On 03/25/2016 06:38 AM, Dominick Grift wrote:
>>>
>>> I noticed that object what is it for?
>>
>> Red Hat reserved a policy capability when they were testing
>> ptrace_child, which they ultimately discarded.  So it is presently
>> unused and maybe could be reclaimed?  I assume ptrace_child never made
>> it into any RHEL release?
>>
>> Oddly, I see that current Fedora policy still defines a ptrace_child
>> permission in class process, even though the kernel knows nothing about
>> it.
>
> We should probably drop it.

I just added a note to the BZ below to get the permission removed from
the Fedora policy.

 * https://bugzilla.redhat.com/show_bug.cgi?id=802072

As for the "redhat1" policycap and the kernel, we could remove it, but
I would just assume leave it there until we have a new policycap to
take its place.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-03-28  1:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-25 10:38 what is /sys/fs/selinux/policy_capabilities/redhat1 Dominick Grift
2016-03-25 12:31 ` Stephen Smalley
2016-03-25 13:14   ` Daniel J Walsh
2016-03-28  1:16     ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.