From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 17 Mar 2011 08:16:33 -0400
Subject: [refpolicy] I think refpolicy should replace all
 corenet.*all_nodes with corenet.*generic_node()
In-Reply-To: <4D812C84.6090900@redhat.com>
References: <4D812C84.6090900@redhat.com>
Message-ID: <4D81FBA1.2070409@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/16/11 17:32, Daniel J Walsh wrote:
> Similarly corenet.*all_if with corenet.*generic_if()
> 
> If I add a label to an interface I want no domains to be able to use it,
> except unconfined domains and domains I specify in a policy module.
> 
> Since we have only one generic node and one generic interface, I think
> these are bugs.
> 
> I have just changed Fedora F15 to match this assumption.

Yes, though the one exception is the perms on kernel_t.  Last year I
made a pass through the policy to do this for nodes and netifs, but I
guess I missed a few.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com