This policy is much tighter than the GConf policy from the old example
policy. It only allows gconfd to access configuration data stored by
GConf. Users can modify configuration data using gconftool-2 or
gconf-editor, both of which use gconfd. GConf manages multiple
configuration sources, so gconfd should be used to make any changes
anyway. Normal users who aren't trying to directly edit the
configuration data of GConf won't notice anything different.
There is also a difference between this policy and the old example
policy in handling directories in /tmp. The old example policy
labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no
use of the file_type_auto_trans macro, if that directory was deleted
gconfd would create one labeled as tmp_t. This policy uses the
files_tmp-filetrans macro to cause a directory in /tmp created by gconfd
to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t,
because if /tmp/orbit-USER is deleted, gconfd will create it (through
use of ORBit) and it would get the $1_gconf_tmp_t label. By having
gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and
directories in directories labeled with $1_tmp_t, it can control its
data without requiring any future bonobo or Gnome policies to have
access to $1_gconf_tmp_t.
This patch is related to work that I am doing in making gconfd an
userspace object manager. If any user program can modify the
configuration data that GConf stores, than making gconfd an userspace
object manager would be useless.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
* fix userdom_search_all_users_home_content() to use search_dir_perms;
* change ssh daemon macro to use userdom_search_all_users_home_dirs() instead of _home_content()
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.
NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).
I am submitting the below limited patch pending a comprehensive patch from
Joy Latten at IBM (latten@austin.ibm.com).
I am not sure if I needed to manually do a "make tolib" in the flask subdir
and submit the results as well. Please let me know if I needed to.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
The jffs2 filesystem is a filesystem for memory technology
devices (MTD), and xattr supporting on jffs2 is neccesary
to use SELinux with a small diskless PDA and so on.
This facility is queued for kernel 2.6.18 now, so I hope
to merge this small patch into the refpolicy repository.
Example of xattr/jffs2: SELinux on OpenZaurus :D
http://www.kaigai.gr.jp/pub/sezaurus.jpg
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>