From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 17 Mar 2011 15:49:29 -0400
Subject: [refpolicy] Question: and the policy grows...
In-Reply-To: <4D825440.6070207@redhat.com>
References: <1300369855.30425.14.camel@tesla.lan>		<4D8219D9.7080504@redhat.com>	<1300377867.30425.40.camel@tesla.lan>	<4D823A60.9020107@redhat.com>
	<4D824AC3.4070502@tresys.com> <4D825440.6070207@redhat.com>
Message-ID: <4D8265C9.80604@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is a patch against refpolicy that removes most of the opens on
terminals.

http://people.fedoraproject.org/~dwalsh/SELinux/refpolicy_inherited_term.patch

A similar patch on F15 shows

# sesearch -A -t user_devpts_t -p write -c chr_file -C  | grep -v ^D | wc -l
180
# sesearch -A -t user_devpts_t -p open -c chr_file -C  | grep -v ^D | wc -l
32

# sesearch -A -t user_tty_device_t -p write -c chr_file -C  | grep -v ^D
| wc -l
174
# sesearch -A -t user_tty_device_t -p open -c chr_file -C  | grep -v ^D
| wc -l
29
# sesearch -A -t tty_device_t -p write -c chr_file -C  | grep -v ^D | wc -l
72
# sesearch -A -t tty_device_t -p open -c chr_file -C  | grep -v ^D | wc -l
35

The Fedora patch is just tested locally and I will probably wait to put
this fix into F16 since it is kind of dangerous at this point.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2CZcUACgkQrlYvE4MpobO6mACgoB/mXlZJuIebKmdhBIamoba5
ONAAoJ8Cf8XSU/aPjllYFfIMlg3Xwsep
=frjC
-----END PGP SIGNATURE-----