[redhat-lspp] LSPP kickstart config v0.18 released
Klaus Weidner
klaus at atsec.com
Tue Feb 13 04:49:42 UTC 2007
On Mon, Feb 12, 2007 at 11:53:49AM -0500, Daniel J Walsh wrote:
> Linda Knippers wrote:
> >I see that this verison of the ks rpm still has alot of stuff in the
> >lspp policy module (attached for those not using the rpm). Some of
> >the policy changes reference bugzillas but not all of them.
> >
> >Has Dan pulled these changes into the mls policy?
Dan, thanks for reviewing them. I'll delete the obsolete parts, more
below about the changes that are still needed.
> ># Fix proposed to RH 2006-12-18:
> >#
> >https://enterprise.redhat.com/issue-tracker/?module=issues&action=view&tid=107824
> ># https://bugzilla.linux.ibm.com/show_bug.cgi?id=29661
> >gen_require(`
> > type ftpd_t;
> >')
> >auth_rw_faillog(ftpd_t)
> >
> auth_append_faillog is the current policy does it need auth_rw_faillog?
I tried without the additional rule and it didn't work.
If I understand the mechanism correctly, the /var/log/tallylog file is
accessed by seeking to a position based on the numerical UID, so it needs
full read/write access.
I updated one of the bugs where this was discussed, but could not reopen
it due to lack of permissions.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220085
> ># https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220487
> >
> >### sshd ##################################################
> >
> >gen_require(`
> > type sshd_t, unlabeled_t, staff_ssh_t, user_ssh_t, port_t;
> >')
> >kernel_tcp_recvfrom_unlabeled(sshd_t)
> >kernel_tcp_recvfrom_unlabeled(staff_ssh_t)
> >kernel_tcp_recvfrom_unlabeled(user_ssh_t)
> >allow staff_ssh_t port_t:tcp_socket name_connect;
> >allow user_ssh_t port_t:tcp_socket name_connect;
> >
> >
> Not sure how we should handle this.
This isn't needed anymore with current policy. I'm adding the following
to the config script to assign ssh_port_t to port 222:
semanage port -a -t ssh_port_t -p tcp 222
-Klaus
More information about the redhat-lspp
mailing list