From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 18 Mar 2011 09:30:31 -0400 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <4D825440.6070207@redhat.com> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <4D824AC3.4070502@tresys.com> <4D825440.6070207@redhat.com> Message-ID: <4D835E77.5000304@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/17/11 14:34, Daniel J Walsh wrote: > On 03/17/2011 01:54 PM, Christopher J. PeBenito wrote: >> On 03/17/11 12:44, Daniel J Walsh wrote: >>> On 03/17/2011 12:04 PM, Guido Trentalancia wrote: >>>> On Thu, 17/03/2011 at 10.25 -0400, Daniel J Walsh wrote: >>>>> On 03/17/2011 09:50 AM, Guido Trentalancia wrote: > >>>>> For example, we have lots of code that allows confined applications to >>>>> open terminals. I would bet that almost no confined processes ever open >>>>> a terminal. And yet the ability to open a terminal can give you a >>>>> communications channel to attack other confined processes or even the >>>>> confined user. > >> Get me a set of patches that fixes that, and I'll be glad to merge it. > > > I am experimenting with this now. But it would be good if we could > agree on the terminology. > > rw_inherited_term_perms is what I am calling it. > > And > > userdom_use_inherited_term > terminal_use_all_inherited_terminals We can go with this, though I think we should change the rw_term_perms into use_term_perms for consistency. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com