From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 18 Mar 2011 09:30:31 -0400
Subject: [refpolicy] Question: and the policy grows...
In-Reply-To: <4D825440.6070207@redhat.com>
References: <1300369855.30425.14.camel@tesla.lan>		<4D8219D9.7080504@redhat.com>
	<1300377867.30425.40.camel@tesla.lan>
	<4D823A60.9020107@redhat.com> <4D824AC3.4070502@tresys.com>
	<4D825440.6070207@redhat.com>
Message-ID: <4D835E77.5000304@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/17/11 14:34, Daniel J Walsh wrote:
> On 03/17/2011 01:54 PM, Christopher J. PeBenito wrote:
>> On 03/17/11 12:44, Daniel J Walsh wrote:
>>> On 03/17/2011 12:04 PM, Guido Trentalancia wrote:
>>>> On Thu, 17/03/2011 at 10.25 -0400, Daniel J Walsh wrote:
>>>>> On 03/17/2011 09:50 AM, Guido Trentalancia wrote:
> 
>>>>> For example, we have lots of code that allows confined applications to
>>>>> open terminals.  I would bet that almost no confined processes ever open
>>>>> a terminal.  And yet the ability to open a terminal can give you a
>>>>> communications channel to attack other confined processes or even the
>>>>> confined user.
> 
>> Get me a set of patches that fixes that, and I'll be glad to merge it.
> 
> 
> I am experimenting with this now.  But it would be good if we could
> agree on the terminology.
> 
> rw_inherited_term_perms is what I am calling it.
> 
> And
> 
> userdom_use_inherited_term
> terminal_use_all_inherited_terminals

We can go with this, though I think we should change the rw_term_perms
into use_term_perms for consistency.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com