From: russell@coker.com.au (Russell Coker) Date: Tue, 29 Jun 2010 03:18:18 +1000 Subject: [refpolicy] little ubac patch In-Reply-To: <1277732374.3850.21.camel@gorn.columbia.tresys.com> References: <201006281525.37991.russell@coker.com.au> <1277732374.3850.21.camel@gorn.columbia.tresys.com> Message-ID: <201006290318.18556.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 28 Jun 2010, "Christopher J. PeBenito" wrote: > On Mon, 2010-06-28 at 15:25 +1000, Russell Coker wrote: > > I've attached a little patch for UBAC. Firstly it allows unconfined_u > > the same rights to override UBAC controls as system_u - if you want a > > UBAC confined identity then you can use one of the others. unconfined > > remains unconfined. Given the lack of use of UBAC this probably doesn't > > make any difference to anyone. I'm leaving it in the Debian source tree > > though to make things easier for anyone who does decide to do a UBAC > > policy build, and I think it should be upstream for the same reason. > > > > > > > > Also the patch allows the unconfined_u identity access to the system_r > > role. This permits restarting daemons that run in the system_r role > > without using run_init. > > I'm going to leave this out for now since UBAC isn't widely used. Should I submit a patch to remove UBAC then? I think we should either improve it as much as possible or remove it. -- russell at coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog