From: dac.override@gmail.com (Dominick Grift)
Date: Mon, 3 Aug 2015 20:19:49 +0200
Subject: [refpolicy] kdbus support
In-Reply-To: <55BF7BA8.8000905@redhat.com>
References: <55BF5F1B.1010002@redhat.com> <55BF6C54.9070806@tycho.nsa.gov>
	<55BF7BA8.8000905@redhat.com>
Message-ID: <20150803181948.GA31031@x250>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Aug 03, 2015 at 10:33:12AM -0400, Daniel J Walsh wrote:
> 
> 
> On 08/03/2015 09:27 AM, Stephen Smalley wrote:
> > On 08/03/2015 08:31 AM, Miroslav Grepl wrote:
> >> I am working on kdbus support on Fedora 24. Basically we need to add
> >> support for
> >>
> >> /sys/fs/kdbus
> >>
> >> and I am thinking about correct labeling. Something like
> >>
> >> +type kdbusfs_t;
> >> +fs_type(kdbusfs_t)
> >> +files_mountpoint(kdbusfs_t)
> >> +dev_associate_sysfs(kdbusfs_t)
> >> +genfscon kdbusfs / gen_context(system_u:object_r:kdbusfs_t,s0)
> >>
> >> What do you think about kdbusfs_t label?
> > Until kdbus has LSM hooks, it should not be accessible by anything.
> > Otherwise, it is a completely uncontrolled IPC mechanism by which
> > anything is free to violate policy on the system.
> >
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> Well Rawhide is totally broken right now, and everyone has to boot in
> permissive mode.
> 
> We need to allow this for now and then fix the kernel.

huh, rawhide works fine here just dont add kdbus=1 on the kernel boot line and youll be fine

one thing i noticed though is that even without kdbus=1 , alot of processes now all of a sudden want to traverse /sys
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150803/73f77623/attachment.bin