From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QvYGK-0002xl-Sa for garchives@archives.gentoo.org; Mon, 22 Aug 2011 17:26:13 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7B73721C20B; Mon, 22 Aug 2011 17:26:03 +0000 (UTC) Received: from mx1.mthode.org (rrcs-24-173-105-85.sw.biz.rr.com [24.173.105.85]) by pigeon.gentoo.org (Postfix) with ESMTP id 6921F21C188 for ; Mon, 22 Aug 2011 17:25:45 +0000 (UTC) Received: from mfh31bdf91.rackspace.corp (unknown [64.39.4.132]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.mthode.org (Postfix) with ESMTPSA id A86236BDF for ; Mon, 22 Aug 2011 13:25:44 -0400 (EDT) Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-3-719283635" Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 (Apple Message framework v1084) Subject: Re: [gentoo-hardened] SELinux base policy r2 in hardened-dev overlay From: Matt Thode In-Reply-To: <20110822171138.GA31692@gentoo.org> Date: Mon, 22 Aug 2011 12:25:32 -0500 Content-Transfer-Encoding: 7bit Message-Id: References: <20110819205148.GA29497@gentoo.org> <20110821100646.GA16371@gentoo.org> <201108211339.15280.mail@smogura.eu> <20110821141808.GA22005@gentoo.org> <4E519275.8090003@kutulu.org> <20110822151816.GA23404@gentoo.org> <20110822171138.GA31692@gentoo.org> To: gentoo-hardened@lists.gentoo.org X-Pgp-Agent: GPGMail 1.3.3 X-Mailer: Apple Mail (2.1084) X-Archives-Salt: X-Archives-Hash: 4cac377181cf08c68c610284a9eed24c This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-3-719283635 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Aug 22, 2011, at 12:11 PM, Sven Vermeulen wrote: > On Mon, Aug 22, 2011 at 03:18:16PM +0000, Sven Vermeulen wrote: >> What you are suggesting (label init script) is exactly what I was = talking >> about: instead of having the init scripts labeled initrc_exec_t, they = should >> be labeled like slapd_initrc_exec_t, postfix_initrc_exec_t, ... and = Gentoo's >> integrated run_init support, which by the policy is currently only = working >> on initrc_exec_t, should support those too. >=20 > I guess that won't be happening soon. >=20 > When an administrative interface is granted to a domain/role (like > ldap_admin) then a role transition to system_r is automatically = granted > when a transition occurs on the domain-specific initrc script (like > slapd_initrc_exec_t). In case of integrated run_init support, this = would > create a context root:system_r:run_init_t, which is invalid. >=20 > Removing the role transition in all administrative interfaces is imo a = no-go > as that would mean lots of work and maintenance. >=20 > Oh well, it was fun to try... >=20 > Wkr, > Sven Vermeulen >=20 I know this is not ideal, but can you simply allow sysadm_r to use = rc-service and it's brothers? -- Matthew Thode= --Apple-Mail-3-719283635 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJOUpETAAoJECRx6z5ArFrDQDwP/0T21hLYxiaEj//2wobDLPZr UP1l+tO6QIVV5NmTgwR0wu4WwulkH6NYWOSJQeGWFpGJuxBw/k8KkBZEOh1WBuNn Bg87ygf3/ySGUA97T3bITGXq5ZZ6d5v4jyJExPCsHM/AbfE9/ohosF2hDHxiLl36 hF1QMFBIDQLgnyPmaQCs5w5eG/cj10BMMxu9VCD59OpqnauT7T7OfTnvzj7IWn6Y VFv0VaO8BoJae8tARYFszoWd/zFm6o4NAY+sWuuQCH5zE1LVzXDNz8fMmuRO86Kx vhlccSb1aWPFbGea7eYzjPOreDU1elTTn8ULz5IrF7cG3IK01iq6SvVMourdvYPu 0F1nrlo/opGLJGkLbfjbV/cvUo119hnZxAHDEZysli3HmPoIlR18h+QXT6BOKQwZ UgxrQNe2P5l50n6Jh/ayIUPkgka6BZyN1mbDC3bOqzYt+Y3QqdF8Wc6hHjk4zt9g OimiKZ3YeobkGeIygJ8lMz5U4fyT/bLkb3tiZ1o0VGjv5DtzFKQfTPNTOWd5HS6e TTozpRzsjIc3i5RBr++iLWCJKK5O0y9x/AY+IBJsQRJvkdhZ69yBLrj7N5pl9GUL bE1aVrzMN0zxT0BW1y1GUzlf2hpMSWLEWzRyMV8x80kkQNcVR5JYLcjRvI8t/mWy GXLQLEorselpX+Nwb376 =ZxSy -----END PGP SIGNATURE----- --Apple-Mail-3-719283635--