Re: [gentoo-hardened] selinux puppet update for 2.6.8

public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed

From: Sven Vermeulen <sven.vermeulen@siphos.be>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] selinux puppet update for 2.6.8
Date: Mon, 11 Jul 2011 14:17:10 +0200	[thread overview]
Message-ID: <20110711121710.GA31439@siphos.be> (raw)
In-Reply-To: <CA3F888B.290A%mthode@mthode.org>

On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote:
> #============= puppet_t ==============
> allow puppet_t initrc_notrans_exec_t:file execute;
> allow puppet_t self:capability dac_read_search;

These two I find a bit strange. When do you encounter the need for
initrc_notrans_exec_t execute rights? I guess you're running rc-status or
rc-update at that point? I can have it work using a puppet_t ->
puppet_initrc_notrans_t -> puppet_t transition set (like we do for sysadm_t)
but this is not something you can do with audit2allow, so if the above was
sufficient to make things work...

Also, the dac_read_search capability is something that allows a root user to
read/search files, even if the owner of those files isn't root. In regular
DAC, this is "normal" (root can do everything) but not always necessary. If
you do not allow this, what happens then?

My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you
want to test things out, you can subscribe to the overlay or put the
necessary files in your own. 

[1] https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6285189a1d9fa27/sec-policy/selinux-puppet

Wkr,
	Sven Vermeulen

next prev parent reply	other threads:[~2011-07-11 13:02 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-10 21:49 [gentoo-hardened] selinux puppet update for 2.6.8 Matthew Thode
2011-07-11 12:17 ` Sven Vermeulen [this message]
2011-07-11 13:25   ` Matthew Thode

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110711121710.GA31439@siphos.be \
    --to=sven.vermeulen@siphos.be \
    --cc=gentoo-hardened@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox