Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: Patch to add a "netuser" role and user Date: Wed, 08 Mar 2006 00:13:09 +0100
Maybe this patch (when reviewed) could serve as an example on how to add new user roles?
best regards,
-- erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_ This one's tricky. You have to use imaginary numbers, like //\ eleventeen... --- Hobbes V_/_ Jede Frau erwartet von einem Mann, dass er hält, was sie sich von ihm verspricht.From: Christopher J. PeBenito <cpebenito_at_tresys.com> subject: Re: Patch to add a "netuser" role and user Date: Wed, 08 Mar 2006 13:30:11 -0500
The patch is a reasonable example for adding roles, but I'm not sure that it should be added. I can't think of a compelling need for it, especially since its basically user_r with user_tcp_server enabled, as you mention above. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Erich Schubert <erich_at_debian.org> subject: Re: Patch to add a "netuser" role and user Date: Wed, 08 Mar 2006 20:13:59 +0100
Except that you might not want to allow user_tcp_server for all users, and with netuser you can give this permission easily to individual users on a per-user basis. I also had to add: sysnet_dns_name_resolve($1_t) allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_stream_socket_perms;so it could actually use the sockets. Probably missing for user_tcp_server, too. Havn't tested that yet (do tuneables actually work? ssh_sysadm_login doesn't work for me)
best regards,
-- erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_ A polar bear is a rectangular bear after a coordinate transform. //\ Wenn Leute nicht glauben, dass Mathematik einfach ist, V_/_ dann nur deshalb, weil sie nicht begreifen, wie kompliziert das Leben ist. --- John von Neumann -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Christopher J. PeBenito <cpebenito_at_tresys.com> subject: Re: Patch to add a "netuser" role and user Date: Thu, 09 Mar 2006 09:46:57 -0500
That is true, but I don't find binding to generic ports to be a compelling reason to add another role to the upstream policy. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Erich Schubert <erich_at_debian.org> subject: Re: Patch to add a "netuser" role and user Date: Thu, 09 Mar 2006 19:05:09 +0100
So you want tons of admins to enable user_tcp_server (which apparently currently doesn't give all the needed permissions to fullfil it's promises) when they are running a user tcp service? E.g. an IRC bouncer? Maybe a "web service"? A custom java app? I think this role is very interesting to have for admins. And always remember what the AppArmor people say: that they are easier to use. So why not add things like this role to make SELinux easier to use for certain common situations, too?
best regards,
-- erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_ Reality continues to ruin my life --- Calvin //\ Die Freunde nennen sich aufrichtig. Die Feinde sind es: Daher V_/_ man ihren Tadel zur Selbsterkenntnis benutzen sollte, als eine bittere Arznei. --- Arthur Schopenhauer -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Christopher J. PeBenito <cpebenito_at_tresys.com> subject: Re: Patch to add a "netuser" role and user Date: Mon, 13 Mar 2006 09:12:58 -0500
If the user templates are missing rules, then they need to be fixed. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |