2008-11-25 21:35:14

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] kernel_corecommands.patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch

Add bin_t for several cups binaries.

Move some for Brother to a higher level

Add bin_t for ConsoleKit scripts

Add bin_t for pam_krb5_storegtmp

Add sys_chroot capability to corecmd_exec_chroot interface
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkksb5IACgkQrlYvE4MpobMgBACghZEE/FYb8aLrluhmayh9Z5Rd
juoAn2vQnHJQcL5WeToZhzdyD2e+19Zx
=tc/L
-----END PGP SIGNATURE-----


2008-12-02 22:51:25

by cpebenito

[permalink] [raw]
Subject: [refpolicy] kernel_corecommands.patch

On Tue, 2008-11-25 at 16:35 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
>
> Add bin_t for several cups binaries.
>
> Move some for Brother to a higher level
>
> Add bin_t for ConsoleKit scripts

Merged, with some rearrangement.

> Add bin_t for pam_krb5_storegtmp

Conflicts with pam_exec_t labeling.

> Add sys_chroot capability to corecmd_exec_chroot interface

While I agree in principle, I would want to remove it from unprivileged
users.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

2008-12-06 13:00:44

by martin

[permalink] [raw]
Subject: [refpolicy] kernel_corecommands.patch

On 02/12/08 22:51, Christopher J. PeBenito wrote:
> On Tue, 2008-11-25 at 16:35 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
>>
>> Add bin_t for ConsoleKit scripts
>
> Merged, with some rearrangement.

It is not clear to me - why should these be labelled as bin_t instead of
consolekit_exec_t? Are they run by anything other than consolekit?

Best wishes,

--
Martin Orr

2008-12-09 13:43:18

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] kernel_corecommands.patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Orr wrote:
> On 02/12/08 22:51, Christopher J. PeBenito wrote:
>> On Tue, 2008-11-25 at 16:35 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corecommands.patch
>>>
>>> Add bin_t for ConsoleKit scripts
>> Merged, with some rearrangement.
>
> It is not clear to me - why should these be labelled as bin_t instead of
> consolekit_exec_t? Are they run by anything other than consolekit?
>
> Best wishes,
>
not currently, but we do not always label all binaries with a context
that can cause a transition. And theoretically these scripts could be
used by another application. Just because a script is labeled bin_t and
can be executed by a confined domain, does not mean it adds any privs to
the confined domain. bin_t apps will execute in the current domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk+dfYACgkQrlYvE4MpobOefACfUaDejpp4pNWIVfF8CkID3in4
72wAnRJbvS4BZoUiINyDFr2lfdhIoXqN
=xek3
-----END PGP SIGNATURE-----