From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 28 Jun 2010 09:39:34 -0400
Subject: [refpolicy] little ubac patch
In-Reply-To: <201006281525.37991.russell@coker.com.au>
References: <201006281525.37991.russell@coker.com.au>
Message-ID: <1277732374.3850.21.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2010-06-28 at 15:25 +1000, Russell Coker wrote:
> I've attached a little patch for UBAC.  Firstly it allows unconfined_u the 
> same rights to override UBAC controls as system_u - if you want a UBAC 
> confined identity then you can use one of the others.  unconfined remains 
> unconfined.  Given the lack of use of UBAC this probably doesn't make any 
> difference to anyone.  I'm leaving it in the Debian source tree though to make 
> things easier for anyone who does decide to do a UBAC policy build, and I 
> think it should be upstream for the same reason.
> 
> Also the patch allows the unconfined_u identity access to the system_r role.  
> This permits restarting daemons that run in the system_r role without using 
> run_init.

I'm going to leave this out for now since UBAC isn't widely used.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com