From: Laurent Bigonville <[email protected]>
mdadm is now creating map file under /run/mdadm/map
---
raid.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/raid.fc b/raid.fc
index ed9c70d..e3c8bfb 100644
--- a/raid.fc
+++ b/raid.fc
@@ -4,3 +4,4 @@
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
accountsd.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/accountsd.fc b/accountsd.fc
index 1adca53..414e917 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,3 +1,7 @@
/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+')
+
/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
--
1.7.10.4
On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> mdadm is now creating map file under /run/mdadm/map
> ---
> raid.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/raid.fc b/raid.fc
> index ed9c70d..e3c8bfb 100644
> --- a/raid.fc
> +++ b/raid.fc
> @@ -4,3 +4,4 @@
> /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
>
> /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
> +/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
I think its probably best to drop mdadm_map_t and make it an alias of
mdadm_var_run_t instead
I have some changes from both myself and fedora for raid module in the
pipeline.
It sucks though because both fedora as well as refpolicy made mdadm_t a
unconfined type. That basically makes it almost impossible for us to
develop it further and receive feedback on it.
On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> accountsd.fc | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/accountsd.fc b/accountsd.fc
> index 1adca53..414e917 100644
> --- a/accountsd.fc
> +++ b/accountsd.fc
> @@ -1,3 +1,7 @@
> /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
>
> +ifdef(`distro_debian',`
> +/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
> +')
> +
> /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
This was merged, thanks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/12/2012 12:49 PM, Dominick Grift wrote:
>
>
> On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
>> From: Laurent Bigonville <[email protected]>
>>
>> mdadm is now creating map file under /run/mdadm/map --- raid.fc | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/raid.fc b/raid.fc index ed9c70d..e3c8bfb 100644 ---
>> a/raid.fc +++ b/raid.fc @@ -4,3 +4,4 @@ /sbin/mdmpd --
>> gen_context(system_u:object_r:mdadm_exec_t,s0)
>>
>> /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
>> +/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
>
> I think its probably best to drop mdadm_map_t and make it an alias of
> mdadm_var_run_t instead
>
> I have some changes from both myself and fedora for raid module in the
> pipeline.
>
> It sucks though because both fedora as well as refpolicy made mdadm_t a
> unconfined type. That basically makes it almost impossible for us to
> develop it further and receive feedback on it.
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
Dominick lets turn that off in Rawhide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBR/Y8ACgkQrlYvE4MpobO3CQCgqM77dqA/OM9r7a16r7PNfAHP
rnwAoNCHmqHjQmcN/g1eQj4vj7MlMhSi
=2osU
-----END PGP SIGNATURE-----
On Thu, 2012-09-13 at 11:36 -0400, Daniel J Walsh wrote:
> On 09/12/2012 12:49 PM, Dominick Grift wrote:
> >
> >
> > On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
> >> From: Laurent Bigonville <[email protected]>
> >>
> >> mdadm is now creating map file under /run/mdadm/map --- raid.fc | 1 +
> >> 1 file changed, 1 insertion(+)
> >>
> >> diff --git a/raid.fc b/raid.fc index ed9c70d..e3c8bfb 100644 ---
> >> a/raid.fc +++ b/raid.fc @@ -4,3 +4,4 @@ /sbin/mdmpd --
> >> gen_context(system_u:object_r:mdadm_exec_t,s0)
> >>
> >> /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
> >> +/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
> >
> > I think its probably best to drop mdadm_map_t and make it an alias of
> > mdadm_var_run_t instead
> >
> > I have some changes from both myself and fedora for raid module in the
> > pipeline.
> >
> > It sucks though because both fedora as well as refpolicy made mdadm_t a
> > unconfined type. That basically makes it almost impossible for us to
> > develop it further and receive feedback on it.
> >
> > _______________________________________________ refpolicy mailing list
> > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> Dominick lets turn that off in Rawhide.
>
That is a good idea. I would like to hear pebenito' opinion about
removing it in refpolicy as well.
what caused refpolicy to make mdadm_t a unconfined domain in the first
place?
On 09/13/12 12:09, Dominick Grift wrote:
>
>
> On Thu, 2012-09-13 at 11:36 -0400, Daniel J Walsh wrote:
>> On 09/12/2012 12:49 PM, Dominick Grift wrote:
>>>
>>>
>>> On Wed, 2012-09-12 at 01:31 +0200, Laurent Bigonville wrote:
>>>> From: Laurent Bigonville <[email protected]>
>>>>
>>>> mdadm is now creating map file under /run/mdadm/map --- raid.fc | 1 +
>>>> 1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/raid.fc b/raid.fc index ed9c70d..e3c8bfb 100644 ---
>>>> a/raid.fc +++ b/raid.fc @@ -4,3 +4,4 @@ /sbin/mdmpd --
>>>> gen_context(system_u:object_r:mdadm_exec_t,s0)
>>>>
>>>> /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
>>>> +/var/run/mdadm/map -- gen_context(system_u:object_r:mdadm_map_t,s0)
>>>
>>> I think its probably best to drop mdadm_map_t and make it an alias of
>>> mdadm_var_run_t instead
>>>
>>> I have some changes from both myself and fedora for raid module in the
>>> pipeline.
>>>
>>> It sucks though because both fedora as well as refpolicy made mdadm_t a
>>> unconfined type. That basically makes it almost impossible for us to
>>> develop it further and receive feedback on it.
>>>
>> Dominick lets turn that off in Rawhide.
>>
>
> That is a good idea. I would like to hear pebenito' opinion about
> removing it in refpolicy as well.
>
> what caused refpolicy to make mdadm_t a unconfined domain in the first
> place?
I'm fine with it. I suspect its a remnant of the original targeted policy where only network-facing services were confined.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Sep 13, 2012 7:43 PM, "Christopher J. PeBenito" <[email protected]>
wrote:
> I'm fine with it. I suspect its a remnant of the original targeted
policy where only network-facing services were confined.
We have been running without unconfined in Gentoo on quite a few systems
with raid and swraid with little additional patches on the domain. I even
think without patches, but don't have access to the patch list currently to
verify.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20120914/747e36d2/attachment.html