From: domg472@gmail.com (Dominick Grift) Date: Mon, 24 Jan 2011 16:59:47 +0100 Subject: [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy In-Reply-To: <1295884566.1547.13.camel@tesla.lan> References: <1295397630.3377.10.camel@tesla.lan> <4D383627.60804@tresys.com> <1295544776.4702.16.camel@tesla.lan> <4D397E26.4090904@tresys.com> <1295829820.3862.59.camel@tesla.lan> <4D3D9456.60608@gmail.com> <1295884566.1547.13.camel@tesla.lan> Message-ID: <4D3DA1F3.7010705@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 04:56 PM, Guido Trentalancia wrote: > Hello Dominick ! > > On Mon, 24/01/2011 at 16.01 +0100, Dominick Grift wrote: >> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: >>> Hello again ! >>> >>> I am resubmitting the changes that I proposed a few days ago for the >>> latest reference policy. There are a few additions and now the patch has >>> been split into a set of 19 logical patches. >> >> I did a quick review of your policy and commented inline. I think most >> of it is probably not acceptable at this point unfortunately. > > Yes, I have started to look at your comments. Of course they are all > good points that you have made and that need to be changed. > > But after those issues will have been fixed, what else would prevent the > patch from being committed ? For example the way you deal with dbus chat, is not the way refpolicy usually deas with it. Where you have dbus_*_send interfaces that only go one way, refpolicy uses dbus_*_chat interfaces that are bi-directional. This is because if some process send a message and is allowed that, then one can be sure that the receiving party will want to reply to that message and that you will want to allow that reply (why else would you have allowed the initial party to send a message in the first place? > >> It may be beneficial to get even more familiar with reference policy and >> the concepts/security goals it uses. >> >> You may also find my latest screencast called: introduction to policy >> writing, inspiring and hopefully informative: >> >> http://selinux-mac.blogspot.com/2011/01/yet-another-step-by-step-introduction.html > > I will have a look at it. Thanks again ! > >>> Regards, >>> >>> Guido Trentalancia > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09ofMACgkQMlxVo39jgT9rUwCeMlrUdoibLRXZDSxj2x+2ro3f BQcAoM1XAUqXzgT8gDhkPJ7hDGhK2wZq =rHvp -----END PGP SIGNATURE-----