From: russell@coker.com.au (Russell Coker)
Date: Tue, 29 Jun 2010 03:18:18 +1000
Subject: [refpolicy] little ubac patch
In-Reply-To: <1277732374.3850.21.camel@gorn.columbia.tresys.com>
References: <201006281525.37991.russell@coker.com.au>
	<1277732374.3850.21.camel@gorn.columbia.tresys.com>
Message-ID: <201006290318.18556.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 28 Jun 2010, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> On Mon, 2010-06-28 at 15:25 +1000, Russell Coker wrote:
> > I've attached a little patch for UBAC.  Firstly it allows unconfined_u
> > the  same rights to override UBAC controls as system_u - if you want a
> > UBAC confined identity then you can use one of the others.  unconfined
> > remains unconfined.  Given the lack of use of UBAC this probably doesn't
> > make any difference to anyone.  I'm leaving it in the Debian source tree
> > though to make things easier for anyone who does decide to do a UBAC
> > policy build, and I think it should be upstream for the same reason.
> >
> > 
> >
> > Also the patch allows the unconfined_u identity access to the system_r
> > role.   This permits restarting daemons that run in the system_r role
> > without using run_init.
> 
> I'm going to leave this out for now since UBAC isn't widely used.

Should I submit a patch to remove UBAC then?  I think we should either improve 
it as much as possible or remove it.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog