-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/2010 04:44 PM, Dominick Grift wrote: > On 12/05/2010 10:29 PM, Mr Dash Four wrote: > >>> I've been through this duplicate declaration/out of scope issues many >>> times. It is one of the reason that i maintain my own policy instead of >>> using fedoras' policy. >>> >> I do something similar - for different machines (which have different >> requirements) I have prepared separate patches based on the version of >> the fedora policy used and I just apply them (looking for >> failures/hunks) when a new version of the policy is released. > >> One of the things which annoys me no end in the fedora policy is using >> the scatter-gun approach and granting access to the 'generic' >> net/node/interface to a host of modules as well as granting access to >> all 'client' packets. That is fundamentally wrong imo! > > That is actually not a Fedora specific issue. Upstream refpolicy has the > same. It is done to preserve compatibility. People that use the > networking controls are expected to be able to customize the policy i > believe. > > I think that Fedora and refpolicy are discussing to make this work in > other ways. I personally have no problem with it since i do not use the > network controls any ways. > > My issue with Fedora policy is: > > stuffing stuff into base. > - Means module cannot be disabled/replaced. Means youll more often get > into duplicate declaration / out of scope issues. > > fedora (and refpolicies for that matter) vision for the user space. > - they both have different visions that cannot co-exist in one policy. > (fedora's unconfineduser module is one issue) > > Both Fedora and refpolicy do not have the desktop layer confined. which > means users interact directly with the system layer basically bypassing > the desktop layer. (which means the userdomains need much more > privileges than they would if the desktop layer was confined) > > Fedora easily permits access to all user home content which is not good > for confinement of the user space. ( i like to keep things least privilege) > > Fedora and refpolicy both have many unconfined domains. > - Means that it you want to make an unconfined domain, confined. you > will most likely first have to fix a bunch of bugs (because fedora > developed the policy as being unconfined) In my view all domains should > atleast in rawhide be confined. When it goes stable they can make them > unconfined but it should as much as possible work confined as well. > > Not that when i remove the unconfined_domain() interface that i have to > spend a week to make things work. > > But easier said then done. Fedora in the meanwhile also has to deliver a > workable product for the general audience. > > I dont have that problem with my personal branch, and thats why i just > maintain my own stuff. No one to tell me what to do... no pressure.. > just fun and security. > >>> Sorry, i have not tested it. >>> Yet, i am pretty sure it would work in my personal policy. >>> >> I'll do that tomorrow when I have the chance! > > Dominick did you check these changes into the Rawhide branch? selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz89qQACgkQrlYvE4MpobP/sgCeJAOqd9/5vrVfMbjzwQerfMgA BUYAn0mXmchHpBed2NpDEOCrhs963gJo =pEx8 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
