[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole
James Antill
jantill at redhat.com
Tue Oct 31 18:33:02 UTC 2006
On Tue, 2006-10-31 at 11:21 -0500, Stephen Smalley wrote:
> No. The ability to make the security call is controlled by the
> compute_av permission on the security class, and isn't based on the
> individual contexts passed as arguments. That would be:
> allow $1 security_t:security compute_av;
> which has an interface:
> selinux_compute_access_vector($1)
> which is already in authlogin.if. No change required for allowing the
> call to happen.
>
> What you are instead trying to do is to define the _result_ of that
> compute_av call based on its arguments, not whether it can be made by
> login. So the TE rule would go into userdomain.if and be of the form:
> allow $1 self:context <permissionname>;
Ok, I think I have it now. Both patches are at (with the renamed
permission):
http://people.redhat.com/jantill/pam-config_role/upstream/
--
James Antill - <james.antill at redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: policy-pam-range-checking.patch
Type: text/x-patch
Size: 1095 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061031/c57028b5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: selinux-pam-range-checking.patch
Type: text/x-patch
Size: 987 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061031/c57028b5/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061031/c57028b5/attachment.sig>
More information about the redhat-lspp
mailing list