http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_setroubleshoot.patch
Removed initrc part of the patch.
On Tue, 2009-06-30 at 08:53 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_setroubleshoot.patch
>
> Removed initrc part of the patch.
You have this:
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
Is this anticipated to be a temporary issue? If so, I'd prefer to keep
it out of refpolicy upstream. Otherwise it would seem to be better to
be in a distro_redhat.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 07/20/2009 02:27 PM, Christopher J. PeBenito wrote:
> On Tue, 2009-06-30 at 08:53 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_setroubleshoot.patch
>>
>> Removed initrc part of the patch.
>
> You have this:
>
> +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
> +allow setroubleshootd_t self:process { execmem execstack };
>
> Is this anticipated to be a temporary issue? If so, I'd prefer to keep
> it out of refpolicy upstream. Otherwise it would seem to be better to
> be in a distro_redhat.
>
Maybe make it a dontaudit?