From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 17 Mar 2011 15:49:29 -0400 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <4D825440.6070207@redhat.com> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <4D824AC3.4070502@tresys.com> <4D825440.6070207@redhat.com> Message-ID: <4D8265C9.80604@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is a patch against refpolicy that removes most of the opens on terminals. http://people.fedoraproject.org/~dwalsh/SELinux/refpolicy_inherited_term.patch A similar patch on F15 shows # sesearch -A -t user_devpts_t -p write -c chr_file -C | grep -v ^D | wc -l 180 # sesearch -A -t user_devpts_t -p open -c chr_file -C | grep -v ^D | wc -l 32 # sesearch -A -t user_tty_device_t -p write -c chr_file -C | grep -v ^D | wc -l 174 # sesearch -A -t user_tty_device_t -p open -c chr_file -C | grep -v ^D | wc -l 29 # sesearch -A -t tty_device_t -p write -c chr_file -C | grep -v ^D | wc -l 72 # sesearch -A -t tty_device_t -p open -c chr_file -C | grep -v ^D | wc -l 35 The Fedora patch is just tested locally and I will probably wait to put this fix into F16 since it is kind of dangerous at this point. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2CZcUACgkQrlYvE4MpobO6mACgoB/mXlZJuIebKmdhBIamoba5 ONAAoJ8Cf8XSU/aPjllYFfIMlg3Xwsep =frjC -----END PGP SIGNATURE-----