avc: smartcard token login

Dominick Grift domg472 at gmail.com
Sun Dec 5 21:44:55 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2010 10:29 PM, Mr Dash Four wrote:
> 
>> I've been through this duplicate declaration/out of scope issues many
>> times. It is one of the reason that i maintain my own policy instead of
>> using fedoras' policy.
>>   
> I do something similar - for different machines (which have different
> requirements) I have prepared separate patches based on the version of
> the fedora policy used and I just apply them (looking for
> failures/hunks) when a new version of the policy is released.
> 
> One of the things which annoys me no end in the fedora policy is using
> the scatter-gun approach and granting access to the 'generic'
> net/node/interface to a host of modules as well as granting access to
> all 'client' packets. That is fundamentally wrong imo!

That is actually not a Fedora specific issue. Upstream refpolicy has the
same. It is done to preserve compatibility. People that use the
networking controls are expected to be able to customize the policy i
believe.

I think that Fedora and refpolicy are discussing to make this work in
other ways. I personally have no problem with it since i do not use the
network controls any ways.

My issue with Fedora policy is:

stuffing stuff into base.
- - Means module cannot be disabled/replaced. Means youll more often get
into duplicate declaration / out of scope issues.

fedora (and refpolicies for that matter) vision for the user space.
- - they both have different visions that cannot co-exist in one policy.
(fedora's unconfineduser module is one issue)

Both Fedora and refpolicy do not have the desktop layer confined. which
means users interact directly with the system layer basically bypassing
the desktop layer. (which means the userdomains need much more
privileges than they would if the desktop layer was confined)

Fedora easily permits access to all user home content which is not good
for confinement of the user space. ( i like to keep things least privilege)

Fedora and refpolicy both have many unconfined domains.
- - Means that it you want to make an unconfined domain, confined. you
will most likely first have to fix a bunch of bugs (because fedora
developed the policy as being unconfined) In my view all domains should
atleast in rawhide be confined. When it goes stable they can make them
unconfined but it should as much as possible work confined as well.

Not that when i remove the unconfined_domain() interface that i have to
spend a week to make things work.

But easier said then done. Fedora in the meanwhile also has to deliver a
workable product for the general audience.

I dont have that problem with my personal branch, and thats why i just
maintain my own stuff. No one to tell me what to do... no pressure..
just fun and security.

>> Sorry, i have not tested it.
>> Yet, i am pretty sure it would work in my personal policy.
>>   
> I'll do that tomorrow when I have the chance!
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz8B9cACgkQMlxVo39jgT+OjwCdF3whgYZtSN14fG1b/kJ8tPSq
gXoAnRrXyLSBLgRNQALgYrlll81RLZs9
=MmjY
-----END PGP SIGNATURE-----

More information about the selinux mailing list