http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
Allow staff user to exec files on removable devices
Needs access to run sandbox
Additional access for staff reading kernel info.
staff_t needs to run newrole to relabel content in his homedir
Needs to run ping
Added distro_redhat to eliminate all of the transitions that we did not
want.
On 06/02/10 16:31, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
>
> Allow staff user to exec files on removable devices
>
> Needs access to run sandbox
>
> Additional access for staff reading kernel info.
>
> staff_t needs to run newrole to relabel content in his homedir
>
> Needs to run ping
>
> Added distro_redhat to eliminate all of the transitions that we did not
> want.
This needs to be cleaned up, its way off from typical refpolicy style.
Also, instead of ifndef'ing individual optional blocks, they should all
be collected into one big ifndef block.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/06/2010 08:42 AM, Christopher J. PeBenito wrote:
> On 06/02/10 16:31, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
>>
>> Allow staff user to exec files on removable devices
>>
>> Needs access to run sandbox
>>
>> Additional access for staff reading kernel info.
>>
>> staff_t needs to run newrole to relabel content in his homedir
>>
>> Needs to run ping
>>
>> Added distro_redhat to eliminate all of the transitions that we did not
>> want.
>
> This needs to be cleaned up, its way off from typical refpolicy style.
> Also, instead of ifndef'ing individual optional blocks, they should all
> be collected into one big ifndef block.
>
>
I originally did this but I thought you asked me to move it to this
format to make the changes less severe.
On 07/12/10 10:19, Daniel J Walsh wrote:
> On 07/06/2010 08:42 AM, Christopher J. PeBenito wrote:
>> On 06/02/10 16:31, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
>>>
>>> Allow staff user to exec files on removable devices
>>>
>>> Needs access to run sandbox
>>>
>>> Additional access for staff reading kernel info.
>>>
>>> staff_t needs to run newrole to relabel content in his homedir
>>>
>>> Needs to run ping
>>>
>>> Added distro_redhat to eliminate all of the transitions that we did not
>>> want.
>>
>> This needs to be cleaned up, its way off from typical refpolicy style.
>> Also, instead of ifndef'ing individual optional blocks, they should all
>> be collected into one big ifndef block.
>>
>>
> I originally did this but I thought you asked me to move it to this
> format to make the changes less severe.
Did I? If so, sorry about the confusion. I would prefer that there be
just the single distro_redhat block. But if you can separate the patch
into two: one that moves current rules into the ifndef distro_redhat
block and another that has all the other unrelated changes, that would
make it easier.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/19/2010 01:28 PM, Christopher J. PeBenito wrote:
> On 07/12/10 10:19, Daniel J Walsh wrote:
>> On 07/06/2010 08:42 AM, Christopher J. PeBenito wrote:
>>> On 06/02/10 16:31, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_staff.patch
>>>>
>>>> Allow staff user to exec files on removable devices
>>>>
>>>> Needs access to run sandbox
>>>>
>>>> Additional access for staff reading kernel info.
>>>>
>>>> staff_t needs to run newrole to relabel content in his homedir
>>>>
>>>> Needs to run ping
>>>>
>>>> Added distro_redhat to eliminate all of the transitions that we did not
>>>> want.
>>>
>>> This needs to be cleaned up, its way off from typical refpolicy style.
>>> Also, instead of ifndef'ing individual optional blocks, they should all
>>> be collected into one big ifndef block.
>>>
>>>
>> I originally did this but I thought you asked me to move it to this
>> format to make the changes less severe.
>
> Did I? If so, sorry about the confusion. I would prefer that there be
> just the single distro_redhat block. But if you can separate the patch
> into two: one that moves current rules into the ifndef distro_redhat
> block and another that has all the other unrelated changes, that would
> make it easier.
>
>
This patch removes the role transitions from staff.te, unprivuser.te and
sysadm.te for the redhat policies.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxF7YoACgkQrlYvE4MpobOolQCggKsC1tx29n9zGquB/QMOgghx
FiwAnj4dtH4IgfOLwZCCUZMhD+eq8cn4
=WGuF
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: role_trans.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20100720/dd18c081/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: role_trans.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100720/dd18c081/attachment.bin