http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_staff.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unprivuser.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_sysadm.patch
Updated patches including ifndef redhat to remove all the old cruft caused by the per_role_template in ancient policy.
staff - Add setexec so it can use sandbox
Allow it to read kernel state.
Allow it to use rtkit
Lots of real world access required by staff_usertype.
Also allow staff_t to transition to unconfined_t through sudo.
On Wed, 2010-02-17 at 10:54 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_staff.patch
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unprivuser.patch
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_sysadm.patch
>
> Updated patches including ifndef redhat to remove all the old cruft caused by the per_role_template in ancient policy.
These don't look updated; I don't see any ifndef.
> staff - Add setexec so it can use sandbox
>
> Allow it to read kernel state.
> Allow it to use rtkit
>
> Lots of real world access required by staff_usertype.
>
> Also allow staff_t to transition to unconfined_t through sudo.
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 02/18/2010 11:32 AM, Christopher J. PeBenito wrote:
> On Wed, 2010-02-17 at 10:54 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_staff.patch
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_unprivuser.patch
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_sysadm.patch
>>
>> Updated patches including ifndef redhat to remove all the old cruft caused by the per_role_template in ancient policy.
>
> These don't look updated; I don't see any ifndef.
>
>> staff - Add setexec so it can use sandbox
>>
>> Allow it to read kernel state.
>> Allow it to use rtkit
>>
>> Lots of real world access required by staff_usertype.
>>
>> Also allow staff_t to transition to unconfined_t through sudo.
>>
>
Sorry.
http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_staff.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_unprivuser.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_sysadm.patch
On Thu, 2010-02-18 at 12:57 -0500, Daniel J Walsh wrote:
> On 02/18/2010 11:32 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-02-17 at 10:54 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_staff.patch
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_unprivuser.patch
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_sysadm.patch
> >>
> >> Updated patches including ifndef redhat to remove all the old cruft caused by the per_role_template in ancient policy.
> >
> > These don't look updated; I don't see any ifndef.
> >
> >> staff - Add setexec so it can use sandbox
> >>
> >> Allow it to read kernel state.
> >> Allow it to use rtkit
> >>
> >> Lots of real world access required by staff_usertype.
> >>
> >> Also allow staff_t to transition to unconfined_t through sudo.
> >>
> >
> Sorry.
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_staff.patch
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_unprivuser.patch
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/roles_sysadm.patch
Please collect all the indef distro_redhat down at the bottom, in one
single large ifndef block for each module.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150