From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 03 Jul 2012 09:44:15 -0400
Subject: [refpolicy] pptp_t vs pppd_t
In-Reply-To: <4FF2DBE3.7030106@redhat.com>
References: <201207031543.56296.russell@coker.com.au>
	<4FF2D4EE.6050805@redhat.com> <4FF2DBE3.7030106@redhat.com>
Message-ID: <4FF2F72F.2030001@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 7/3/2012 7:47 AM, Miroslav Grepl wrote:
> On 07/03/2012 01:18 PM, Daniel J Walsh wrote:
>> On 07/03/2012 01:43 AM, Russell Coker wrote:
>>> Is there a real benefit in having separate domains for pptp and pppd?
>>>
>>> The access that they have is very similar and the differences are things
>>> that aren't so significant (EG pptp_t denied access to
>>> pppd_devpts_t:chr_file).
>>>
>>> Also both the programs can run each other (the policy allows pppd to run
>>> pptpd and in my test network pptpd needs to run pppd) which limits the
>>> ability to create a useful separation.
>>>
>>> I think it would be best if we merged the two domains.
>>>
>> I am always for merging domains together.  I think we have far too many
>> domains that basically have the security domain and just add complexity.
>> Fedora consolidated all of the "spam" domains also.
>>
>> I really believe we should consolidate the mail domains.  mail_t instead of
>> sendmail_t, postfix_t, qmail_t, dovecot_t, courier_t ...
> I agree with this. The question is whether it could be accepted?

Dan has contrib commit access, so he can upstream the changes.  I'm fine with the pptp/pppd merging. (don't forget aliases, etc. for compatibility)  The mail server domains is a little dicier, as that is a significant change, and my preference would be to discuss what can be done, as I generally agree with Russell's other email.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com