http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch
+ daemonstools_run_start(sysadm_t, sysadm_r)
+ daemontools_search_svc_dir(syslogd_t)
+ daemontools_sigchld_run(ucspitcp_t)
svc_run needs sys_resource
reads urand
writes to console
Other access required.
On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch
>
> + daemonstools_run_start(sysadm_t, sysadm_r)
> + daemontools_search_svc_dir(syslogd_t)
> + daemontools_sigchld_run(ucspitcp_t)
>
> svc_run needs sys_resource
> reads urand
>
> writes to console
>
> Other access required.
Why is this network access needed:
+allow svc_start_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
a quick glance through the code didn't indicate any network access.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 03/04/2010 11:16 AM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
>
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch
>>
>> + daemonstools_run_start(sysadm_t, sysadm_r)
>> + daemontools_search_svc_dir(syslogd_t)
>> + daemontools_sigchld_run(ucspitcp_t)
>>
>> svc_run needs sys_resource
>> reads urand
>>
>> writes to console
>>
>> Other access required.
>>
> Why is this network access needed:
>
> +allow svc_start_t self:tcp_socket create_stream_socket_perms;
> +corenet_tcp_bind_generic_node(svc_start_t)
> +corenet_tcp_bind_generic_port(svc_start_t)
>
> a quick glance through the code didn't indicate any network access.
>
>
I have no idea. I did not write this one. Miroslav or Dominick?
On 03/04/2010 05:19 PM, Daniel J Walsh wrote:
> I have no idea. I did not write this one. Miroslav or Dominick?
I did not propose it either. I wish Fedora would use git, that way we
could just look up the committee of this.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100304/f2e4f893/attachment.bin
On 03/04/2010 05:19 PM, Daniel J Walsh wrote:
> On 03/04/2010 11:16 AM, Christopher J. PeBenito wrote:
>> On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch
>>>
>>>
>>> + daemonstools_run_start(sysadm_t, sysadm_r)
>>> + daemontools_search_svc_dir(syslogd_t)
>>> + daemontools_sigchld_run(ucspitcp_t)
>>>
>>> svc_run needs sys_resource
>>> reads urand
>>>
>>> writes to console
>>>
>>> Other access required.
>> Why is this network access needed:
>>
>> +allow svc_start_t self:tcp_socket create_stream_socket_perms;
>> +corenet_tcp_bind_generic_node(svc_start_t)
>> +corenet_tcp_bind_generic_port(svc_start_t)
>>
>> a quick glance through the code didn't indicate any network access.
>>
> I have no idea. I did not write this one. Miroslav or Dominick?
Ok, I am a culprit. We got this as a part of bug and people needed to
add a local module with these rules to fix policy issues.
Regards,
Miroslav
On Fri, 2010-03-05 at 09:05 +0100, Miroslav Grepl wrote:
> On 03/04/2010 05:19 PM, Daniel J Walsh wrote:
> > On 03/04/2010 11:16 AM, Christopher J. PeBenito wrote:
> >> On Tue, 2010-02-23 at 17:01 -0500, Daniel J Walsh wrote:
> >>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/system_daemontools.patch
> >>>
> >>>
> >>> + daemonstools_run_start(sysadm_t, sysadm_r)
> >>> + daemontools_search_svc_dir(syslogd_t)
> >>> + daemontools_sigchld_run(ucspitcp_t)
> >>>
> >>> svc_run needs sys_resource
> >>> reads urand
> >>>
> >>> writes to console
> >>>
> >>> Other access required.
> >> Why is this network access needed:
> >>
> >> +allow svc_start_t self:tcp_socket create_stream_socket_perms;
> >> +corenet_tcp_bind_generic_node(svc_start_t)
> >> +corenet_tcp_bind_generic_port(svc_start_t)
> >>
> >> a quick glance through the code didn't indicate any network access.
> >>
> > I have no idea. I did not write this one. Miroslav or Dominick?
> Ok, I am a culprit. We got this as a part of bug and people needed to
> add a local module with these rules to fix policy issues.
Do you have any info as to why?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150