From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 3 Aug 2015 11:52:44 -0400
Subject: [refpolicy] kdbus support
In-Reply-To: <55BF8B58.7000100@tycho.nsa.gov>
References: <55BF5F1B.1010002@redhat.com> <55BF6C54.9070806@tycho.nsa.gov>
	<55BF7BA8.8000905@redhat.com> <55BF8B58.7000100@tycho.nsa.gov>
Message-ID: <55BF8E4C.9010706@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On 08/03/2015 11:40 AM, Stephen Smalley wrote:
> On 08/03/2015 10:33 AM, Daniel J Walsh wrote:
>>
>> On 08/03/2015 09:27 AM, Stephen Smalley wrote:
>>> On 08/03/2015 08:31 AM, Miroslav Grepl wrote:
>>>> I am working on kdbus support on Fedora 24. Basically we need to add
>>>> support for
>>>>
>>>> /sys/fs/kdbus
>>>>
>>>> and I am thinking about correct labeling. Something like
>>>>
>>>> +type kdbusfs_t;
>>>> +fs_type(kdbusfs_t)
>>>> +files_mountpoint(kdbusfs_t)
>>>> +dev_associate_sysfs(kdbusfs_t)
>>>> +genfscon kdbusfs / gen_context(system_u:object_r:kdbusfs_t,s0)
>>>>
>>>> What do you think about kdbusfs_t label?
>>> Until kdbus has LSM hooks, it should not be accessible by anything.
>>> Otherwise, it is a completely uncontrolled IPC mechanism by which
>>> anything is free to violate policy on the system.
>>>
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>> Well Rawhide is totally broken right now, and everyone has to boot in
>> permissive mode.
>>
>> We need to allow this for now and then fix the kernel.
>>
> Is it unreasonable to require Fedora developers to test with SELinux
> enforcing before submitting changes?  Especially systemd...
>
I am sure the developers would argue that the whole process would ground
to a halt.