From: domg472@gmail.com (Dominick Grift)
Date: Mon, 08 Mar 2010 20:39:30 +0100
Subject: [refpolicy] [PATCH 1/1] Likewise policy
In-Reply-To: <4B954C06.3080409@likewise.com>
References: <4B954C06.3080409@likewise.com>
Message-ID: <4B955272.4040003@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/08/2010 08:12 PM, Scott Salley wrote:
>>> +allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
>>> +allow lwiod_t netlogond_var_lib_t:file read_file_perms;
>>> +
>>> +corenet_tcp_bind_generic_node(lwiod_t)
>>> +corenet_tcp_bind_smbd_port(lwiod_t)
>>> +corenet_tcp_connect_smbd_port(lwiod_t)
>>
>> The networking block is missing to interface calls to ensure compatibility.
> 
> Sorry, I don't understand the comment 'The networking block is missing...".
> Could you please explain?

SELinux supports some (optional) network controls. If you want your
policy to work in an environment that implements these network controls
you are required to make your policy compatible by adding those
interface calls.

> 
>>> +allow lwsmd_t lwregd_t:process { signal siginh rlimitinh };
>>> +allow lwsmd_t netlogond_t:process { signal siginh rlimitinh };
>>> +allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh };
> 
>> I suspect these can be removed. signal is already allowed and the other
>> permissions are rarely needed.
> 
> Where is signal already allowed? (siginh and rlimitinh can certainly be removed).

+	allow $1 self:process { signal_perms getsched setsched };

It is included in the signal_perms permission set. (likewise.if)

> 
> Thank you for all the comments/advice/criticism.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100308/3b202aac/attachment.bin