On Sat, 2005-03-19 at 01:53 -0500, Daniel J Walsh wrote:
> I think we can remove the hostname policy, it adds little value.
[cut]
> I think it would work fine without hostname policy. I think we could
> probably get rid of consoletype also.

I don't remember why hostname and consoletype were added in the first place, but a quick look through them makes me think that its so we don't have to give sys_admin capability to initrc_t when these programs are run from init scripts. Sys_admin is a huge set a privileges, so I'd say its worthwhile to keep them around.

> plain text document attachment (diff)
> +bool use_syslogng false;
> +
> +if (use_syslogng) {
> +allow syslogd_t proc_kmsg_t:file write;
> +allow syslogd_t self:capability { sys_admin chown };
> +}

Shouldn't this go in the ifdef(`klogd.te',`',` block? Its already there for syslogds that also do the klogd functions, like syslog-ng. In fact, I think that block was originally added for syslog-ng. That should eliminate the need for a boolean too.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.