Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: Patch to make can_network stronger and remove nscd tunable.
From: Thomas Bleher <bleher_at_informatik.uni-muenchen.de>
Date: Wed, 3 Nov 2004 01:07:07 +0100
First off, it would be nice if you could split your patches into logically independant pieces, makes it much easier to read. I think there need to be some changes (comments below) but the nfs_home_dirs-related stuff should be merged as soon as possible. Currently it is broken in cvs because only some parts have been converted from tunable to boolean.
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.37/domains/program/crond.te If we are going to add this to more domains we should add a macro IMHO like can_krb5_connect() or something. I do not know much about kerberos, but I think most kerberized apps will need similar permissions which should only be granted if kerberos is used.
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.17.37/domains/program/login.te Huh? Where does this come from? Cannot see this in the cvs policy. If this is needed because of kerberos it should be ifdef'ed.
> -ifdef(`nfs_home_dirs', ` This should go into CVS ASAP, as mentioned above.
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.17.37/domains/program/unused/acct.te allow logrotate_t acct_data_t:dir search; allow logrotate_t acct_data_t:file create_file_perms; This makes it easier to read, IMHO.
> --- nsapolicy/domains/program/unused/ftpd.te 2004-10-27 14:32:48.000000000 -0400 Not true. There is a boolean ftpd_is_daemon which governs this. Current policy needed inetd.te to compile but I think this is an error in the policy. The following patch should fix it:
> allow ftpd_t ftp_data_port_t:tcp_socket name_bind; I confess I am not too familiar with ftp, but does it really need to bind to arbitrary ports, seems excessive and unneeded (and is not granted in current policy as far as I can see)
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.17.37/domains/program/unused/ping.te dontaudit ping_t self:capability sys_tty_config; is nicer.
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.17.37/file_contexts/program/mailman.fc Sorry, I do not know mailman at all, so please excuse my ignorance. But does mailman really have to write to /etc/mailman, which is presumably it's configuration data? This is not nice at all.
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.37/macros/program/ssh_macros.te Ahh, nice to see single_userdomain finally gone. There were a few other superfluous braces, but the rest looks fine. Thomas -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7Received on Tue 2 Nov 2004 - 19:07:32 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |