-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
Add initrc labeling support
/var/agentx needs a label
Clean up admin interface
snmp needs getsched, setsched
needs ipc_lock and sys_ptrace
Reads file systems and rw xen state
Dontaudit ptrace domains
Checks all executables
Does walks of the file systems
Execs consoletype,
Communicates with virtual machines and xen machines
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkksbLsACgkQrlYvE4MpobP57ACghH24LKJxtDVZubED0I1SFz9W
wbcAoKju0ijZln4lOszOFqTlR1gIWh5L
=TjEz
-----END PGP SIGNATURE-----
On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>
> Add initrc labeling support
>
> /var/agentx needs a label
>
> Clean up admin interface
>
> snmp needs getsched, setsched
>
> needs ipc_lock and sys_ptrace
These two caps came up earlier this week; it makes me wonder if there is
any similarity (does it fit into a pattern?). The other one had kill
(was already on snmpd_t), sys_ptrace, and ipc_lock too. Snmpd doesn't
have process ptrace or process sigkill perms, which is why this seems
questionable.
> Reads file systems and rw xen state
>
> Dontaudit ptrace domains
>
> Checks all executables
>
> Does walks of the file systems
>
> Execs consoletype,
>
> Communicates with virtual machines and xen machines
I put the kernel_*_xen_state() calls in with the other xen_*() calls.
Merged with some other tweaks.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>>
>> Add initrc labeling support
>>
>> /var/agentx needs a label
>>
>> Clean up admin interface
>>
>> snmp needs getsched, setsched
>>
>> needs ipc_lock and sys_ptrace
>
> These two caps came up earlier this week; it makes me wonder if there is
> any similarity (does it fit into a pattern?). The other one had kill
> (was already on snmpd_t), sys_ptrace, and ipc_lock too. Snmpd doesn't
> have process ptrace or process sigkill perms, which is why this seems
> questionable.
>
>> Reads file systems and rw xen state
>>
>> Dontaudit ptrace domains
>>
>> Checks all executables
>>
>> Does walks of the file systems
>>
>> Execs consoletype,
>>
>> Communicates with virtual machines and xen machines
>
> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
>
> Merged with some other tweaks.
>
But the xen stuff is optional while the kernel* calls are not. So if
you used a policy without xen policy you still want to use the xen device.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk3EY8ACgkQrlYvE4MpobO+nQCg1ozrEtSEdzZF7IQFPf0tIQBU
7UMAoJjaTXO/FEb7E00jOHWNf0P/NyhV
=QpHl
-----END PGP SIGNATURE-----
On Wed, 2008-12-03 at 18:09 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
> >>
> >> Communicates with virtual machines and xen machines
> >
> > I put the kernel_*_xen_state() calls in with the other xen_*() calls.
> >
> > Merged with some other tweaks.
> >
> But the xen stuff is optional while the kernel* calls are not. So if
> you used a policy without xen policy you still want to use the xen device.
That doesn't make any sense to me. Why would it still be using the xen
proc interfaces if there is no xen?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Wed, 2008-12-03 at 18:09 -0500, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>>>>
>
>>>> Communicates with virtual machines and xen machines
>>> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
>>>
>>> Merged with some other tweaks.
>>>
>> But the xen stuff is optional while the kernel* calls are not. So if
>> you used a policy without xen policy you still want to use the xen device.
>
> That doesn't make any sense to me. Why would it still be using the xen
> proc interfaces if there is no xen?
>
If I have xen devices defined but use some policy other the xen, say
initrc_t, or myxen or expanded virt whatever. The devices are defined
in device.te and other xen calls are defined in xen.if, they are not the
same.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk4LasACgkQrlYvE4MpobOLgwCgpL8yoeXsexzvi0Gr57gSc3+6
Bi0AnRrajphTVGCcuoo4hBCG3W+P/ats
=E5Oo
-----END PGP SIGNATURE-----
On Thu, 2008-12-04 at 14:21 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2008-12-03 at 18:09 -0500, Daniel J Walsh wrote:
> >> Christopher J. PeBenito wrote:
> >>> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
> >>>>
> >
> >>>> Communicates with virtual machines and xen machines
> >>> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
> >>>
> >>> Merged with some other tweaks.
> >>>
> >> But the xen stuff is optional while the kernel* calls are not. So if
> >> you used a policy without xen policy you still want to use the xen device.
> >
> > That doesn't make any sense to me. Why would it still be using the xen
> > proc interfaces if there is no xen?
> >
> If I have xen devices defined but use some policy other the xen, say
> initrc_t, or myxen or expanded virt whatever. The devices are defined
> in device.te and other xen calls are defined in xen.if, they are not the
> same.
But we're not talking about devices, we're talking about proc entries.
I wouldn't expect those proc entries to exist except on a xen system, in
which case you also need the xen policy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Thu, 2008-12-04 at 14:21 -0500, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Wed, 2008-12-03 at 18:09 -0500, Daniel J Walsh wrote:
>>>> Christopher J. PeBenito wrote:
>>>>> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
>>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>>>>>>
>>>>>> Communicates with virtual machines and xen machines
>>>>> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
>>>>>
>>>>> Merged with some other tweaks.
>>>>>
>>>> But the xen stuff is optional while the kernel* calls are not. So if
>>>> you used a policy without xen policy you still want to use the xen device.
>>> That doesn't make any sense to me. Why would it still be using the xen
>>> proc interfaces if there is no xen?
>>>
>> If I have xen devices defined but use some policy other the xen, say
>> initrc_t, or myxen or expanded virt whatever. The devices are defined
>> in device.te and other xen calls are defined in xen.if, they are not the
>> same.
>
> But we're not talking about devices, we're talking about proc entries.
> I wouldn't expect those proc entries to exist except on a xen system, in
> which case you also need the xen policy.
>
You would need policy but not necessarily the interfaces that are
defined in xen.if.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk4L8IACgkQrlYvE4MpobP3dgCguKA5tqeXcJobVIZ3XySQ5GyU
19cAoLVgDsklyeXzOLnJY3tNJpbNApWy
=w2PZ
-----END PGP SIGNATURE-----