Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: Policy mods in last nights refpolicy
From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Tue, 15 Nov 2005 19:55:48 -0500
>> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/files.fc serefpolicy-2.0.1/policy/modules/system/files.fc >> --- nsaserefpolicy/policy/modules/system/files.fc 2005-11-14 18:24:06.000000000 -0500 >> +++ serefpolicy-2.0.1/policy/modules/system/files.fc 2005-11-15 09:19:21.000000000 -0500 >> @@ -214,3 +214,4 @@ >> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0) >> /var/tmp/lost\+found/.* <<none>> >> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) >> +/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) >> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/files.te serefpolicy-2.0.1/policy/modules/system/files.te >> --- nsaserefpolicy/policy/modules/system/files.te 2005-11-14 18:24:06.000000000 -0500 >> +++ serefpolicy-2.0.1/policy/modules/system/files.te 2005-11-15 09:19:21.000000000 -0500 >> @@ -167,3 +167,12 @@ >> # >> type var_spool_t; >> files_tmp_file(var_spool_t) >> + >> +# >> +# var_auth_t is the type of /var/lib/auth, usually >> +# used for auth data in pam_able >> +# >> +type var_auth_t, file_type; >> +fs_associate(var_auth_t) >> +fs_associate_noxattr(var_auth_t) >> > > A couple notes. It seems more logical for var_auth_t to be in authlogin > along with the rest of the pam types. Also, if its not moved, then > encapsulation is broken since an interface in authlogin refers to types > not in that module. > > Ok fine > I'll move var_auth_t to authlogin, but I'm not clear on the rules you > added to auth_use_nsswitch(): > > Is this really supposed to be create_file_perms? It seems like it > should just be r_file_perms since the dir access is r_dir_perms. The > interface also needs a gen_require() since it not explicitly refers to > types. > No apps need to be able to create and delete files in this directory. This pam applet keeps track of failed logins or something like that. > Also, now that people are going to be using refpolicy, we're going to > have to start bumping the module versions in the policy_module() > statements when changes are made, so that modules can be upgraded > correctly. Currently the modules are set to 1.0. After a little > thought, it seems like it would be better if we go to x.y.z for > versioning: bump z for each changed module when committing to > sourceforge; bump y for each changed module when releasing; bump x for > major design changes to the module. Does this seem like a reasonable > versioning scheme? > > Yes. Why not start out at 2.0.1 though since this is a major step forward in policy. -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 15 Nov 2005 - 20:06:44 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |