From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 14 Nov 2008 08:29:21 -0500 Subject: [refpolicy] (u|r)bacsep: initial testing In-Reply-To: <491C8052.1030506@tycho.nsa.gov> References: <1216224735.21191.50.camel@gorn> <1224183673.21012.64.camel@gorn.columbia.tresys.com> <491C8052.1030506@tycho.nsa.gov> Message-ID: <1226669361.24358.66.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2008-11-13 at 14:30 -0500, Eamon Walsh wrote: > Christopher J. PeBenito wrote: > > > > ping > > > > This is the last call. I have not heard any comments from the > > community. User-based separations have finished going through vetting > > interally at Tresys; I plan to finalize this and then merge it into > > trunk in the next week or so unless there are any objections raised. > > > > This really needs to be tested by people whose projects depend on proper > > role separations. > > I had to apply this patch to policy/constraints to get around a build error: > > Index: constraints > =================================================================== > --- constraints (revision 2873) > +++ constraints (working copy) > @@ -81,8 +81,11 @@ > > constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit } > ( > - basic_ubac_conditions > - or t1 == ubacproc > + ifdef(`enable_ubac',` > + basic_ubac_conditions > + or > + ') > + t1 == ubacproc > ); > > constrain process { transition noatsecure siginh rlimitinh } I put the whole constraint in the enable_ubac. If UBAC is disabled, we don't want the t1 == ubacproc to still be a constraint. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150