From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 28 Jun 2010 09:39:34 -0400 Subject: [refpolicy] little ubac patch In-Reply-To: <201006281525.37991.russell@coker.com.au> References: <201006281525.37991.russell@coker.com.au> Message-ID: <1277732374.3850.21.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2010-06-28 at 15:25 +1000, Russell Coker wrote: > I've attached a little patch for UBAC. Firstly it allows unconfined_u the > same rights to override UBAC controls as system_u - if you want a UBAC > confined identity then you can use one of the others. unconfined remains > unconfined. Given the lack of use of UBAC this probably doesn't make any > difference to anyone. I'm leaving it in the Debian source tree though to make > things easier for anyone who does decide to do a UBAC policy build, and I > think it should be upstream for the same reason. > > Also the patch allows the unconfined_u identity access to the system_r role. > This permits restarting daemons that run in the system_r role without using > run_init. I'm going to leave this out for now since UBAC isn't widely used. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com