From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 14 Nov 2008 08:29:21 -0500
Subject: [refpolicy] (u|r)bacsep: initial testing
In-Reply-To: <491C8052.1030506@tycho.nsa.gov>
References: <1216224735.21191.50.camel@gorn>
	<1224183673.21012.64.camel@gorn.columbia.tresys.com>
	<491C8052.1030506@tycho.nsa.gov>
Message-ID: <1226669361.24358.66.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2008-11-13 at 14:30 -0500, Eamon Walsh wrote:
> Christopher J. PeBenito wrote:
> >
> > ping
> >
> > This is the last call.  I have not heard any comments from the
> > community.  User-based separations have finished going through vetting
> > interally at Tresys; I plan to finalize this and then merge it into
> > trunk in the next week or so unless there are any objections raised.
> >
> > This really needs to be tested by people whose projects depend on proper
> > role separations.   
> 
> I had to apply this patch to policy/constraints to get around a build error:
> 
> Index: constraints
> ===================================================================
> --- constraints	(revision 2873)
> +++ constraints	(working copy)
> @@ -81,8 +81,11 @@
>  
>  constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
>  (
> -	basic_ubac_conditions
> -	or t1 == ubacproc
> +	ifdef(`enable_ubac',`
> +		basic_ubac_conditions
> +		or
> +	')
> +	t1 == ubacproc
>  );
>  
>  constrain process { transition noatsecure siginh rlimitinh }

I put the whole constraint in the enable_ubac.  If UBAC is disabled, we
don't want the t1 == ubacproc to still be a constraint.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150