I've attached a little patch for UBAC. Firstly it allows unconfined_u the
same rights to override UBAC controls as system_u - if you want a UBAC
confined identity then you can use one of the others. unconfined remains
unconfined. Given the lack of use of UBAC this probably doesn't make any
difference to anyone. I'm leaving it in the Debian source tree though to make
things easier for anyone who does decide to do a UBAC policy build, and I
think it should be upstream for the same reason.
Also the patch allows the unconfined_u identity access to the system_r role.
This permits restarting daemons that run in the system_r role without using
run_init.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ubac.diff
Type: text/x-patch
Size: 809 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100628/8cc4724b/attachment.bin
On Mon, 2010-06-28 at 15:25 +1000, Russell Coker wrote:
> I've attached a little patch for UBAC. Firstly it allows unconfined_u the
> same rights to override UBAC controls as system_u - if you want a UBAC
> confined identity then you can use one of the others. unconfined remains
> unconfined. Given the lack of use of UBAC this probably doesn't make any
> difference to anyone. I'm leaving it in the Debian source tree though to make
> things easier for anyone who does decide to do a UBAC policy build, and I
> think it should be upstream for the same reason.
>
> Also the patch allows the unconfined_u identity access to the system_r role.
> This permits restarting daemons that run in the system_r role without using
> run_init.
I'm going to leave this out for now since UBAC isn't widely used.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, 28 Jun 2010, "Christopher J. PeBenito" <[email protected]> wrote:
> On Mon, 2010-06-28 at 15:25 +1000, Russell Coker wrote:
> > I've attached a little patch for UBAC. Firstly it allows unconfined_u
> > the same rights to override UBAC controls as system_u - if you want a
> > UBAC confined identity then you can use one of the others. unconfined
> > remains unconfined. Given the lack of use of UBAC this probably doesn't
> > make any difference to anyone. I'm leaving it in the Debian source tree
> > though to make things easier for anyone who does decide to do a UBAC
> > policy build, and I think it should be upstream for the same reason.
> >
> >
> >
> > Also the patch allows the unconfined_u identity access to the system_r
> > role. This permits restarting daemons that run in the system_r role
> > without using run_init.
>
> I'm going to leave this out for now since UBAC isn't widely used.
Should I submit a patch to remove UBAC then? I think we should either improve
it as much as possible or remove it.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
On Tue, 2010-06-29 at 03:18 +1000, Russell Coker wrote:
> On Mon, 28 Jun 2010, "Christopher J. PeBenito" <[email protected]> wrote:
> > On Mon, 2010-06-28 at 15:25 +1000, Russell Coker wrote:
> > > I've attached a little patch for UBAC. Firstly it allows unconfined_u
> > > the same rights to override UBAC controls as system_u - if you want a
> > > UBAC confined identity then you can use one of the others. unconfined
> > > remains unconfined. Given the lack of use of UBAC this probably doesn't
> > > make any difference to anyone. I'm leaving it in the Debian source tree
> > > though to make things easier for anyone who does decide to do a UBAC
> > > policy build, and I think it should be upstream for the same reason.
> > >
> > >
> > >
> > > Also the patch allows the unconfined_u identity access to the system_r
> > > role. This permits restarting daemons that run in the system_r role
> > > without using run_init.
> >
> > I'm going to leave this out for now since UBAC isn't widely used.
>
> Should I submit a patch to remove UBAC then? I think we should either improve
> it as much as possible or remove it.
Let me clarify. Typically the people that use it don't use unconfined.
UBAC will not be removed.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com