Received: by 2002:a05:6520:1682:b0:147:d1a0:b502 with SMTP id ck2csp5598888lkb; Mon, 11 Oct 2021 09:41:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyz5c4K/sC/sne5YppJmHHg37jNVIGQaqEPboHWRxwhkWoX+kTmDSElMtx435MO0w4plJa5 X-Received: by 2002:a62:878f:0:b0:44c:b15a:1349 with SMTP id i137-20020a62878f000000b0044cb15a1349mr26473416pfe.56.1633970492952; Mon, 11 Oct 2021 09:41:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633970492; cv=none; d=google.com; s=arc-20160816; b=yWTSlJPIsCB0n11lJ5LQxgKAZCWQl0nDUkp1yGP/+PJs4bF9ro99bw7lDe7X+INr6P /TbmX0qejSoDyaM9EgQv95sTmltPOCSPw8G9Q4axLK3XKasiMA+dRLux0QyvhOzqG6ij ED6OV8a0M11EnvhfRC3BIEPlcC1nu+LwoHEPn1VFs6Baq5ZfBbqNer61WFCYHo9dbPHG ly88of47YePq1/hUwpzWrjfiCJXHjByCFCS6rAwHkuVbeJKLxpY02h1RDAKqqEW0GdDj +z9fJ3ubOlBdCtrJMeqWwcwgIt8BXI3QYLXCwcZgOUa2DX/8QrrifnI2SCzTODfr7BUA 8fbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature; bh=Fb3gk+ms0uMEheYkn5S1Mg9XNol2D0//lDVnhb262rU=; b=uSqu+BlMrTSemPHBz0KH1z90Cm+AeoeqS2UXZwnVOusZn1wBHqME8TfUQ31kPeWK6N 48B7JFypeoBifnb5dKN4h/RpTPnbHFZZ1AA0G56V9mH8u2Bp3xRfsKuKrQFRt0GFHjjs 3dVrpP8YmYzchGwO2Cap4XI57HrRc6ybRHfu5xaIaQiOjb6S/i0ylfRpTtQxDZcqqhpv d3EiiUkIGaWx3OY5siFvb3TKVClweTarcB7v1Yaw8NgnfzEN4/q/3VTdjmJrv7csNXj7 fhxAue0LKPE6fMg3vnnWg2RLafKoIEHj/8tqTLNfaZc/Fo59G1GXtrAR5h7yF3RJlDk6 l/hQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=sbEwJ80F; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e2si8236pjr.21.2021.10.11.09.41.28; Mon, 11 Oct 2021 09:41:32 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=sbEwJ80F; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232688AbhJKQi2 (ORCPT + 21 others); Mon, 11 Oct 2021 12:38:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232753AbhJKQiV (ORCPT ); Mon, 11 Oct 2021 12:38:21 -0400 X-Greylist: delayed 240 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 11 Oct 2021 09:36:21 PDT Received: from defensec.nl (markus.defensec.nl [IPv6:2001:985:d55d::123]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65D06C061570 for ; Mon, 11 Oct 2021 09:36:21 -0700 (PDT) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by defensec.nl (Postfix) with ESMTPSA id CBEF6FC081A; Mon, 11 Oct 2021 18:32:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl; s=default; t=1633969934; bh=40wqNI6wCe4R8rCsm//tRv1mvVXbya8QPXWXhJRBz20=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=sbEwJ80FucMEz1ezitUQ2iwLSA29lXeBh2YvFHAo6srVjxN5vexwTJmuz72h0/zg3 W9lWXvlu/qAM6FuSjenoNEhmhFHp0xjIbBydCeaQRVv6ZzroCUuHL3No7qUbh1CyB5 6nQeXt7pc2o6IbxowRCmVP1v17eKxFusfwIqWwN4= From: Dominick Grift To: Daniel Burgener Cc: Russell Coker , selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] strict policy patches References: Date: Mon, 11 Oct 2021 18:32:13 +0200 In-Reply-To: (Daniel Burgener's message of "Mon, 11 Oct 2021 12:12:42 -0400") Message-ID: <871r4rplo2.fsf@defensec.nl> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Daniel Burgener writes: >> =================================================================== >> --- refpolicy-2.20210908.orig/policy/modules/system/systemd.te >> +++ refpolicy-2.20210908/policy/modules/system/systemd.te >> @@ -65,10 +65,6 @@ type systemd_activate_t; >> type systemd_activate_exec_t; >> init_system_domain(systemd_activate_t, systemd_activate_exec_t) >> -type systemd_analyze_t; >> -type systemd_analyze_exec_t; >> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) >> - >> type systemd_backlight_t; >> type systemd_backlight_exec_t; >> init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) > > I proposed a similar change last year here and the consensus in the PR > discussion was that it would make more sense to add policy for the > systemd_analyze_t domain for cases that wanted a transition there, but > keeping the general approach of running in the parent domain. > > https://github.com/SELinuxProject/refpolicy/pull/321 > > Of course, no one has actually submitted systemd_analyze_t policy yet, > so maybe the demand for such a use case isn't all that high? > > -Daniel > I think I might have argued for keeping it around back then but I do not mind removing it now. It certainly is not an init_daemon_domain(). One can always add it later if needed. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift