Tayga policy review - selinux - Fedora mailing-lists

List overview All Threads
Download

Tayga policy review

SELinux Coloring Book will be at...

read_dirs_pattern

William

2 Apr 2014 2 Apr '14

8:01 p.m.

Hi,

I'm submitting a package for tayga to fedora. I would like the SELinux policy attached to this reviewed.

https://bugzilla.redhat.com/show_bug.cgi?id=1028206

Policy attached. It has comments around parts I have queries and concerns about.

Note that tayga will attempt to call /usr/sbin/ip, which is why the cmd transitions are in the policy.

-- William Brown william@firstyear.id.au

Attachments:

tayga.fc (text/plain — 281 bytes)
tayga.if (text/plain — 0 bytes)
tayga.te (text/plain — 1.6 KB)
signature.asc (application/pgp-signature — 836 bytes)

Reply

Show replies by date

Miroslav Grepl

3 Apr 3 Apr

6:34 a.m.

On 04/03/2014 03:01 AM, William Brown wrote:

Hi,

I'm submitting a package for tayga to fedora. I would like the SELinux policy attached to this reviewed.

https://bugzilla.redhat.com/show_bug.cgi?id=1028206

Policy attached. It has comments around parts I have queries and concerns about.

Note that tayga will attempt to call /usr/sbin/ip, which is why the cmd transitions are in the policy.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

There is no need to have own private type for /etc/tayga if it is read-only.

Is net_admin caused by tayga? I believe it is caused by ifconfig.

Is there a unit file?

I attached reviewed policy files.

Reply

Dominick Grift

3:58 p.m.

On Thu, 2014-04-03 at 13:34 +0200, Miroslav Grepl wrote:

...
There is no need to have own private type for /etc/tayga if it is read-only.

<<snip>>

Is there a unit file?

With that reasoning there is no need for a private type for service units either

After all they aren't written to either

The private type for this config file is handy for a (missing) tyaga_admin() interface. So that tayga administrators can modify the configuration files, just like a tayga_unit_file_t type fpr service unit would enable administrators to modify the service unit and manage the service via the service unit.

Reply

William

5:42 p.m.

There is no need to have own private type for /etc/tayga if it is read-only.

See Dan's admin_interface comment. I'll add this.

Is net_admin caused by tayga? I believe it is caused by ifconfig.

I believe it is caused by tayga. I'll need to just double check to be sure.

Is there a unit file?

There is, but I just use the default unit file labeling types.

I attached reviewed policy files.

Thanks! I can already see you have fixed most of my comments where I was a bit lost. I'll read this over, test it and get back to you.

Sincerely,

-- William Brown william@firstyear.id.au

Reply

4089

Age (days ago)

4089

Last active (days ago)

selinux@lists.fedoraproject.org

3 comments

3 participants

tags (0)

participants (3)

Dominick Grift
Miroslav Grepl
William