Since the list has been quiet lately, I have been looking through the
Fedora git repo for things to upstream. Please let me know if there are
particular things that you think should be upstreamed.
Known things that are still contentious:
* user_type attributes
* admin home dir type
* "leaks" interfaces
* inherited permission sets/interfaces
* systemd -- I believe this is too different from traditional init_t and
warrants its own full policy
* unconfined/unconfineduser module split design
Known unacceptable things:
* unlabelednet module and corenet_enable_unlabeled_packets()
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2011 08:36 PM, Christopher J. PeBenito wrote:
> Please let me know if there are particular things that you think should be upstreamed.
Consider synchronizing the cgroup module (also filesystem.fc wrt
cgroup). You may also want have a look at cobblers policy and its
dependencies to see if any of it can be merged.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk24aoQACgkQMlxVo39jgT9mrwCfdDeikdi2DUhklUbngTjNxFUt
96IAn0uJCTv1H4vCKQjZULXIOBfq1cm+
=ntE0
-----END PGP SIGNATURE-----
On 04/27/11 15:12, Dominick Grift wrote:
> On 04/27/2011 08:36 PM, Christopher J. PeBenito wrote:
>> Please let me know if there are particular things that you think should be upstreamed.
>
> Consider synchronizing the cgroup module (also filesystem.fc wrt
> cgroup). You may also want have a look at cobblers policy and its
> dependencies to see if any of it can be merged.
Ok, I already got the filesystem.fc merged in, but its rearranged, so it
looks like a diff between the two trees. I'll look at the cgroup and
cobbler modules.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/29/2011 03:38 PM, Christopher J. PeBenito wrote:
>
> Ok, I already got the filesystem.fc merged in, but its rearranged, so it
> looks like a diff between the two trees. I'll look at the cgroup and
> cobbler modules.
>
If you decide to merge cgroup changes then keep in mind that cgroup_t
needs to associate with sysfs_t devices. (filesystem.te:
dev_associate_sysfs(cgroup_t))
This cgroup/sysfs change is mainly for systemd. libcgroup still
installs/uses the /cgroup by default.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk26wG4ACgkQMlxVo39jgT8WFwCeI9IdQBmXc7fr2+NZHKAfDhhv
vngAoMjPdchO+SjW/ggQZAPxDTunjp69
=gWhG
-----END PGP SIGNATURE-----
On 04/29/11 09:43, Dominick Grift wrote:
> On 04/29/2011 03:38 PM, Christopher J. PeBenito wrote:
>
>> Ok, I already got the filesystem.fc merged in, but its rearranged, so it
>> looks like a diff between the two trees. I'll look at the cgroup and
>> cobbler modules.
>
>
> If you decide to merge cgroup changes then keep in mind that cgroup_t
> needs to associate with sysfs_t devices. (filesystem.te:
> dev_associate_sysfs(cgroup_t))
>
> This cgroup/sysfs change is mainly for systemd. libcgroup still
> installs/uses the /cgroup by default.
So this means that the /sys fc lines are for systemd systems too, right?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/29/2011 03:53 PM, Christopher J. PeBenito wrote:
> On 04/29/11 09:43, Dominick Grift wrote:
>> On 04/29/2011 03:38 PM, Christopher J. PeBenito wrote:
>>
>>> Ok, I already got the filesystem.fc merged in, but its rearranged, so it
>>> looks like a diff between the two trees. I'll look at the cgroup and
>>> cobbler modules.
>>
>>
>> If you decide to merge cgroup changes then keep in mind that cgroup_t
>> needs to associate with sysfs_t devices. (filesystem.te:
>> dev_associate_sysfs(cgroup_t))
>>
>> This cgroup/sysfs change is mainly for systemd. libcgroup still
>> installs/uses the /cgroup by default.
>
> So this means that the /sys fc lines are for systemd systems too, right?
>
right. systemd mounts cgroup on:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup(/.*)? <<none>>
but libcgroup mounts cgroup by default on:
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/cgroup/.* <<none>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk26y8QACgkQMlxVo39jgT8E+ACfWkJoysYDqHOY8v6T4jS9KKwT
NmEAoKmgoHcM2ckF/dH3l3zjp9SEphdm
=sDFu
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/29/2011 04:31 PM, Dominick Grift wrote:
> /sys/fs/cgroup(/.*)? <<none>>
That should be /sys/fs/cgroup/.* too i guess.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk26zQEACgkQMlxVo39jgT/ToQCgsM7Zat1XcTBpv3Hi5sNQVKXw
7FwAnjrvsUhCZ28r0/QPhiOUoE0FXY/N
=0Yfh
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/29/2011 10:36 AM, Dominick Grift wrote:
> On 04/29/2011 04:31 PM, Dominick Grift wrote:
>
>> /sys/fs/cgroup(/.*)? <<none>>
>
> That should be /sys/fs/cgroup/.* too i guess.
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
They are about to move /selinux to /sys/fs/selinux also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk260Z8ACgkQrlYvE4MpobM9rACeOtXRqV1PFwgPXmoKgcmefwo4
M+AAn0tVgsCBjSRncKLFOPXd/YNLMP8G
=HXTy
-----END PGP SIGNATURE-----