From: ewalsh@tycho.nsa.gov (Eamon Walsh)
Date: Thu, 13 Nov 2008 14:30:26 -0500
Subject: [refpolicy] (u|r)bacsep: initial testing
In-Reply-To: <1224183673.21012.64.camel@gorn.columbia.tresys.com>
References: <1216224735.21191.50.camel@gorn>
	<1224183673.21012.64.camel@gorn.columbia.tresys.com>
Message-ID: <491C8052.1030506@tycho.nsa.gov>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Christopher J. PeBenito wrote:
>
> ping
>
> This is the last call.  I have not heard any comments from the
> community.  User-based separations have finished going through vetting
> interally at Tresys; I plan to finalize this and then merge it into
> trunk in the next week or so unless there are any objections raised.
>
> This really needs to be tested by people whose projects depend on proper
> role separations.
>
>   

I had to apply this patch to policy/constraints to get around a build error:

Index: constraints
===================================================================
--- constraints	(revision 2873)
+++ constraints	(working copy)
@@ -81,8 +81,11 @@
 
 constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
 (
-	basic_ubac_conditions
-	or t1 == ubacproc
+	ifdef(`enable_ubac',`
+		basic_ubac_conditions
+		or
+	')
+	t1 == ubacproc
 );
 
 constrain process { transition noatsecure siginh rlimitinh }




-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency