Eric Paris wrote:
On 1/18/08, Christopher J. PeBenito <cpebenito@xxxxxxxxxx> wrote:
On Thu, 2008-01-17 at 14:33 -0500, Stephen Smalley wrote:
On Thu, 2008-01-17 at 14:13 -0500, Joshua Brindle wrote:
Paul Moore wrote:
At some point in the Fedora 6 timeframe the "flow_in" and "flow_out"
permissions were added to the "packet" class, most likely as part of the
ill-fated secid-reconciliation effort. Despite the fact that these permissions
are not currently used they should be included in the Reference Policy as they
are now a permanent fixture in Fedora and it is crucial that the FLASK
defines be kept in sync.
This patch needs to be applied before any other patches that affect the
"packet" class, otherwise the resulting policy may not load.
This also points out how much of a bad idea it is to add object
class/perm definitions into distro policies before they are in
refpolicy, I hope that this will be avoided in the future.
Definitely.
Dan and I are both well aware of this and I think we can all be
certain it won't happen again.
I'm fine with drilling it in just to make sure ;)
This all came up because akpm reported the failure on his FC6 test box
with latest -mm.
failure == kernel panic
I suggested just using flow_in/flow_out instead of
forward_in/forward_out for Paul's new controls so that we don't have any
unused permissions, but Paul and Eric want the more precise names.
I strongly agree with Stephen's suggestion. Do we have a strategy for
eventually reclaiming these permissions if we don't reuse them right
now?
I'm willing to do the kernel work to support NULL names for these
permissions and maybe in 5 years or so we will all feel comfortable
reusing them (basically the same situation we are in for things like
unused classes we carry around for PAX, we can't reclaim it till we
can be sure everything that ever used it is dead). But labeled net is
convoluted and difficult enough without even the slightest of
misdirection of permission names. If down the road people search teh
intarwebz on flow_in they are going to get back to all of venkat's old
discussions of 'flow.' This isn't what we want.
I think we know the Pax object class isn't being used anymore. One thing
on our long list is to fix up the kernel to request object class and
perm values similarly to the work done to do that from userspace last
year. Once that is done we can hopefully do a wholesale cleaning of
unused values.
I know it sucks and fedora screwed up on this one getting a little
overzelous trying to stay ahead of the development game but at this
point lets waste that 50 bytes of memory or whatever so down the road
we don't have issues.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
