From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 03 Jul 2012 09:44:15 -0400 Subject: [refpolicy] pptp_t vs pppd_t In-Reply-To: <4FF2DBE3.7030106@redhat.com> References: <201207031543.56296.russell@coker.com.au> <4FF2D4EE.6050805@redhat.com> <4FF2DBE3.7030106@redhat.com> Message-ID: <4FF2F72F.2030001@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 7/3/2012 7:47 AM, Miroslav Grepl wrote: > On 07/03/2012 01:18 PM, Daniel J Walsh wrote: >> On 07/03/2012 01:43 AM, Russell Coker wrote: >>> Is there a real benefit in having separate domains for pptp and pppd? >>> >>> The access that they have is very similar and the differences are things >>> that aren't so significant (EG pptp_t denied access to >>> pppd_devpts_t:chr_file). >>> >>> Also both the programs can run each other (the policy allows pppd to run >>> pptpd and in my test network pptpd needs to run pppd) which limits the >>> ability to create a useful separation. >>> >>> I think it would be best if we merged the two domains. >>> >> I am always for merging domains together. I think we have far too many >> domains that basically have the security domain and just add complexity. >> Fedora consolidated all of the "spam" domains also. >> >> I really believe we should consolidate the mail domains. mail_t instead of >> sendmail_t, postfix_t, qmail_t, dovecot_t, courier_t ... > I agree with this. The question is whether it could be accepted? Dan has contrib commit access, so he can upstream the changes. I'm fine with the pptp/pppd merging. (don't forget aliases, etc. for compatibility) The mail server domains is a little dicier, as that is a significant change, and my preference would be to discuss what can be done, as I generally agree with Russell's other email. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com