From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 03 Jul 2012 07:18:06 -0400 Subject: [refpolicy] pptp_t vs pppd_t In-Reply-To: <201207031543.56296.russell@coker.com.au> References: <201207031543.56296.russell@coker.com.au> Message-ID: <4FF2D4EE.6050805@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/03/2012 01:43 AM, Russell Coker wrote: > Is there a real benefit in having separate domains for pptp and pppd? > > The access that they have is very similar and the differences are things > that aren't so significant (EG pptp_t denied access to > pppd_devpts_t:chr_file). > > Also both the programs can run each other (the policy allows pppd to run > pptpd and in my test network pptpd needs to run pppd) which limits the > ability to create a useful separation. > > I think it would be best if we merged the two domains. > I am always for merging domains together. I think we have far too many domains that basically have the security domain and just add complexity. Fedora consolidated all of the "spam" domains also. I really believe we should consolidate the mail domains. mail_t instead of sendmail_t, postfix_t, qmail_t, dovecot_t, courier_t ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/y1O4ACgkQrlYvE4MpobPtpgCgpl0i5SgNbakzYEOO8V0tDvAN lTYAoNVw17S4dCdmCdbfqFD1zUjEfPo9 =qWw4 -----END PGP SIGNATURE-----