From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 19 Jul 2010 13:28:47 -0400
Subject: [refpolicy] roles_staff.patch
In-Reply-To: <4C3B245A.5030809@redhat.com>
References: <4C06BF9E.6030300@redhat.com> <4C3324B4.9030603@tresys.com>
	<4C3B245A.5030809@redhat.com>
Message-ID: <4C448B4F.40900@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/12/10 10:19, Daniel J Walsh wrote:
> On 07/06/2010 08:42 AM, Christopher J. PeBenito wrote:
>> On 06/02/10 16:31, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
>>>
>>> Allow staff user to exec files on removable devices
>>>
>>> Needs access to run sandbox
>>>
>>> Additional access for staff reading kernel info.
>>>
>>> staff_t needs to run newrole to relabel content in his homedir
>>>
>>> Needs to run ping
>>>
>>> Added distro_redhat to eliminate all of the transitions that we did not
>>> want.
>>
>> This needs to be cleaned up, its way off from typical refpolicy style.
>> Also, instead of ifndef'ing individual optional blocks, they should all
>> be collected into one big ifndef block.
>>
>>
> I originally did this but I thought you asked me to move it to this
> format to make the changes less severe.

Did I?  If so, sorry about the confusion.  I would prefer that there be 
just the single distro_redhat block.  But if you can separate the patch 
into two: one that moves current rules into the ifndef distro_redhat 
block and another that has all the other unrelated changes, that would 
make it easier.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com