avc: smartcard token login

Mon Dec 6 14:43:48 UTC 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2010 04:44 PM, Dominick Grift wrote:
> On 12/05/2010 10:29 PM, Mr Dash Four wrote:
> 
>>> I've been through this duplicate declaration/out of scope issues many
>>> times. It is one of the reason that i maintain my own policy instead of
>>> using fedoras' policy.
>>>   
>> I do something similar - for different machines (which have different
>> requirements) I have prepared separate patches based on the version of
>> the fedora policy used and I just apply them (looking for
>> failures/hunks) when a new version of the policy is released.
> 
>> One of the things which annoys me no end in the fedora policy is using
>> the scatter-gun approach and granting access to the 'generic'
>> net/node/interface to a host of modules as well as granting access to
>> all 'client' packets. That is fundamentally wrong imo!
> 
> That is actually not a Fedora specific issue. Upstream refpolicy has the
> same. It is done to preserve compatibility. People that use the
> networking controls are expected to be able to customize the policy i
> believe.
> 
> I think that Fedora and refpolicy are discussing to make this work in
> other ways. I personally have no problem with it since i do not use the
> network controls any ways.
> 
> My issue with Fedora policy is:
> 
> stuffing stuff into base.
> - Means module cannot be disabled/replaced. Means youll more often get
> into duplicate declaration / out of scope issues.
> 
> fedora (and refpolicies for that matter) vision for the user space.
> - they both have different visions that cannot co-exist in one policy.
> (fedora's unconfineduser module is one issue)
> 
> Both Fedora and refpolicy do not have the desktop layer confined. which
> means users interact directly with the system layer basically bypassing
> the desktop layer. (which means the userdomains need much more
> privileges than they would if the desktop layer was confined)
> 
> Fedora easily permits access to all user home content which is not good
> for confinement of the user space. ( i like to keep things least privilege)
> 
> Fedora and refpolicy both have many unconfined domains.
> - Means that it you want to make an unconfined domain, confined. you
> will most likely first have to fix a bunch of bugs (because fedora
> developed the policy as being unconfined) In my view all domains should
> atleast in rawhide be confined. When it goes stable they can make them
> unconfined but it should as much as possible work confined as well.
> 
> Not that when i remove the unconfined_domain() interface that i have to
> spend a week to make things work.
> 
> But easier said then done. Fedora in the meanwhile also has to deliver a
> workable product for the general audience.
> 
> I dont have that problem with my personal branch, and thats why i just
> maintain my own stuff. No one to tell me what to do... no pressure..
> just fun and security.
> 
>>> Sorry, i have not tested it.
>>> Yet, i am pretty sure it would work in my personal policy.
>>>   
>> I'll do that tomorrow when I have the chance!
> 
> 

Dominick did you check these changes into the Rawhide branch?
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz89qQACgkQrlYvE4MpobP/sgCeJAOqd9/5vrVfMbjzwQerfMgA
BUYAn0mXmchHpBed2NpDEOCrhs963gJo
=pEx8
-----END PGP SIGNATURE-----