Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp293291pxb; Wed, 20 Jan 2021 07:12:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJzHxprmXch6WDMk/eyTTIT8P756SROOgUZmICUzPZ1CKnpbRJNSbW0UeADCrh1lruHzsPL1 X-Received: by 2002:a17:906:a94:: with SMTP id y20mr6098053ejf.525.1611155564118; Wed, 20 Jan 2021 07:12:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611155564; cv=none; d=google.com; s=arc-20160816; b=Z71Sw8NVMHWiJiqY8383gXJt9GFPrCuuW+Tw0F3amkXXYQpjsuAB7++KX6p62kF+8u Dx42ui+OcJOS3JuYQrREfR6EZamWsMkCULZC6LAin45C+vHlNywI8DFi6v57NvEvj8gS SEa66n1ZmNCqLacNcbDGEKWj2DXhJCltjvrrEYlUl0ewxTDs0YDM4VccWda9+w+j3J7h q7fOAUb+K4aZs1QE8AuFfFGiBmOzaS9GWPXzFAzcFFDzIG99/xziQCY0YZUvdyUPuo3N rmdW0osIfOthbR9b4SH/i0hW7ckvn6G0K41z+eB0rCt2sO3Kq5nwM0+579ikRJ8mSdi+ cXUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=xbil5oAyyGd25DIM+ESoiy0cgw8VZJ+Z/WQqmSJ5ZlI=; b=YTLCHTO+Qcu7NP2+V2Fs6q8hdiBJoKXhjC/O+0aBZL9+SXwxTNtuOiUsVIdvIygfdn 8RJ7OzCBXKYVtDDCaUmZHXitG6u2RL3BJ6I+39hSlGBnulknYKdXZ+0/LG4I6OtzIMZD 2PEAUzt6WC2mI7Hdmd6UXg1pF21xIxF5O6nLrguT7MxSQs8atnJ0Ws2kcJbDhBg3t72m m3yOMblxrlvxMhWcKQtCRp8YBOMW1QhNV2ZboEIOV9p8W1skOVjal6guOkUH80Cy10TZ vtq71N/hM9+3iIlIzZdaqxMYX38WMQkFH/NCX5BVx6+YqbsU9gA7PpAbz54kdV0PIV1u PoUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=hZYqdzW9; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t16si918014edi.560.2021.01.20.07.12.37; Wed, 20 Jan 2021 07:12:44 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=hZYqdzW9; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733055AbhATPKf (ORCPT + 16 others); Wed, 20 Jan 2021 10:10:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391005AbhATPHN (ORCPT ); Wed, 20 Jan 2021 10:07:13 -0500 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C4BF2C0613C1 for ; Wed, 20 Jan 2021 07:06:28 -0800 (PST) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 1A8832A06F9; Wed, 20 Jan 2021 16:06:28 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 1A8832A06F9 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611155188; bh=xbil5oAyyGd25DIM+ESoiy0cgw8VZJ+Z/WQqmSJ5ZlI=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=hZYqdzW9i50iGtIDHqD5Uaq187nHWqi98HoiCTKA7kXR/2hB48stR3DX8B/9bQ14j DSrixAMVe5WHQCU4KabOT4jSkqjwI7q3Zxa7kb7V0VoyFgBXi7PNZF64xPt1t2gecG Ahbu+bvElXsRavLZd4okv14rxLzD1oMK/tuuKKZc= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc apps and admin patches References: <10140498.mdnUOP6vMp@liv> Date: Wed, 20 Jan 2021 16:06:25 +0100 In-Reply-To: <10140498.mdnUOP6vMp@liv> (Russell Coker's message of "Thu, 21 Jan 2021 00:36:04 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote: >> > optional_policy(` >> > + init_dbus_chat(sysadm_t) >> >> Can you explain why you added this? > > Apart from the obvious that some program wanted it, no. I'll remove that bit > and add it again with a note if it's necessary. Did you like the rest of that > patch? Yes and thats my beef with this. "some program wanted it". sysadm_t is a shell domain. Any programs that need this should, in my view, ideally be targeted. If you dont want that then use unconfined_t instead and be done. I dont want sysadm_t to become a "drunken unconfined_t". -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift