Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp3097858pxb; Tue, 12 Jan 2021 06:22:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJxCP/qcjrK6uRJRCIGLOdREqkRkitNYsKJlWCb2Fsibx/BpVrtgtty+0cH185Q84gWbYuPH X-Received: by 2002:a17:907:20a6:: with SMTP id pw6mr3484486ejb.73.1610461341488; Tue, 12 Jan 2021 06:22:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610461341; cv=none; d=google.com; s=arc-20160816; b=XTtB5AyYdrzGHHj6aus3/W+yImo/CX2HNwRIaeW6KvpeWxSV3IB77AvCjjQOFxj1Xh czvBLqD6TBUfaePJczM0Rs8sNRnOON+nti7/ivwWoEs7Iz5h9afDWgPy57DG4y2os4VR BHHAkJnWAHYlmfkmFC9WTfkNvzvM9IiXUdU/CRNMdq4Or+XycSLqItgLig0vfuQsNoAS dBUflI9/jxGgfDHy27+F0W4rSm9fJLZmBSamfCSgq/61AIwiq7eXd5HD/k0heQsO2Ppj U2o+0LOBuEme5xFHXDenb/N1mtSv81Wdi7LeiL6ZTfbVU5Vd2fwQetNGuwjJ2d2zBCsY 3AiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:references:to :from:subject:dkim-signature:dkim-filter; bh=NQwzfXWDD/Yy8D3qtWBuuQZhjGxL8VBB6pV71ekoDrU=; b=QAcZScq+/xljOth8N2CDgraGw8Uuq4o0CDmXsJxuhS3tbfAIB+Xe+zCtoqt/jA4Moe GcCJ6OL1Whkn3O5GORNVREQ/8aYO0snRQGJbBcf/pYTay825XBJI5m++FC3M53KzYl9h zAIN6Q1+hsvmUGBPHNhH/TG/z3w9kXSVAEv9od2Q3Cj2FJ/lZAvxNDkj098yIVlldqb7 gX31pc/ne/61thiLDENhK6T+6vv5GS19a5YZorSvgRF6eu/5X7h/STNvRqJ6xvahYvmw l+BbtPjhdR43IBnUiuCa00cNzxGlL3q3hPoN3B//xmTSxbqg7HZzZijY3zwWV0L/Znro fH5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=XdTGL7vE; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q8si1194953ejj.24.2021.01.12.06.22.16; Tue, 12 Jan 2021 06:22:21 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=XdTGL7vE; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729278AbhALOTY (ORCPT + 18 others); Tue, 12 Jan 2021 09:19:24 -0500 Received: from linux.microsoft.com ([13.77.154.182]:60978 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729199AbhALOTY (ORCPT ); Tue, 12 Jan 2021 09:19:24 -0500 Received: from localhost.localdomain (c-73-172-233-15.hsd1.md.comcast.net [73.172.233.15]) by linux.microsoft.com (Postfix) with ESMTPSA id BE55420B6C40; Tue, 12 Jan 2021 06:18:43 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com BE55420B6C40 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1610461124; bh=NQwzfXWDD/Yy8D3qtWBuuQZhjGxL8VBB6pV71ekoDrU=; h=Subject:From:To:References:Date:In-Reply-To:From; b=XdTGL7vEXxlguYAh2/+e4UMqifKt6hgjDKiQdH303QH0ENEQ5Ex2055F9bHNQrTJU wwOmUc95M8j6DTdcADKrTWVTYZlPysBQoqUDjsyseu0Bb22AHH9PSN8Xt4lY79jMsY huP4jxwhtsz2Ij5HmvZNnnssPAGkZe4+UCLZR9BY= Subject: Re: [PATCH] strict patches From: Daniel Burgener To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <40e12eb0-782d-2a73-3cd9-a2e2cca2d916@linux.microsoft.com> Message-ID: <9e38ca3b-cc76-2b52-dcd5-01c661cdcfcd@linux.microsoft.com> Date: Tue, 12 Jan 2021 09:18:42 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <40e12eb0-782d-2a73-3cd9-a2e2cca2d916@linux.microsoft.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/12/21 9:15 AM, Daniel Burgener wrote: > On 1/12/21 5:31 AM, Russell Coker wrote: >> Also remove the systemd_analyze_t domain which >> does no good. > > I proposed this same change on github: > https://github.com/SELinuxProject/refpolicy/pull/321 > > The consensus there was that having a separate domain for this access > would add value and the better direction would be to flesh out the > permissions it needs.? We have a bit of a starting point locally on > that.? I'm not sure what shape it's in with regard to upstreaming, but > I'll talk to the developer who worked on it. > > -Daniel My mistake - looks like we ended up granting the needed permissions to the parent domain in our environment, so I don't have any systemd-analyze policy available for upstream.? I still might try developing some, but I don't expect that I'm likely to get to it soon. -Daniel