On 08/15/2016 10:55 AM, Miroslav Vadkerti wrote:
> Anyway, could we have this patch applied and sort out a better way
> of supplying defaults later please?
>
I hope you do realize that this also affects your customers by
essentially forcing them to use your identifiers. with these MLS
identifiers that is not a big deal but with system_u it is a bigger deal
because now your customers will have to work around this if they wish to
take advantage of CIL and its namespace features by namespacing selinux
user identities.
> Thanks,
> /M
>
> On Mon, Aug 15, 2016 at 8:33 AM, Miroslav Vadkerti <mvadkert@xxxxxxxxxx>
> wrote:
>
>> On Fri, Aug 12, 2016 at 4:58 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
>> wrote:
>>
>>> On 08/12/2016 10:22 AM, Dominick Grift wrote:
>>>> On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
>>>>> For modify action actually audit the selinux type, i.e. use
>>>>> setype variable.
>>>>>
>>>>> For deleting equal fcontext rules do not audit ftype, as the
>>>>> ftype value for equal rules makes little sense.
>>>>>
>>>>> Signed-off-by: Miroslav Vadkerti <mvadkert@xxxxxxxxxx> ---
>>>>> policycoreutils/semanage/seobject.py | 4 ++-- 1 file changed, 2
>>>>> insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/policycoreutils/semanage/seobject.py
>>>>> b/policycoreutils/semanage/seobject.py index 786ed0e..8d3088c
>>>>> 100644 --- a/policycoreutils/semanage/seobject.py +++
>>>>> b/policycoreutils/semanage/seobject.py @@ -1992,7 +1992,7 @@
>>>>> class fcontextRecords(semanageRecords): if not seuser: seuser =
>>>>> "system_u"
>>>>
>>>> system_u is reference policy specific. this is selinux user space
>>>> not reference policy user space.
>>>
>>> Yes, that's pre-existing though (not added by this patch), and
>>> unfortunately pervasive throughout seobject.py.
>>>
>>> I guess we'll need to decide how to provide this information so that
>>> it doesn't have to be hardcoded in seobject.py, e.g. yet another
>>> policy configuration file with default values for each security
>>> context field?
>>>
>>
>> The same issue might apply for serange, which also
>> can be an empty string and thus gets audited badly
>> if not some default value.
>>
>>
>>>
>>>>
>>>>>
>>>>> - self.mylog.log_change("resrc=fcontext op=modify %s
>>>>> ftype=%s tcontext=%s:%s:%s:%s" %
>>>>> (audit.audit_encode_nv_string("tglob", target, 0),
>>>>> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
>>>>> self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
>>>>> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob",
>>>>> target, 0), ftype_to_audit[ftype], seuser, "object_r", setype,
>>>>> serange))
>>>>>
>>>>> def modify(self, target, setype, ftype, serange, seuser):
>>>>> self.begin() @@ -2030,7 +2030,7 @@ class
>>>>> fcontextRecords(semanageRecords): self.equiv.pop(target)
>>>>> self.equal_ind = True
>>>>>
>>>>> - self.mylog.log_change("resrc=fcontext
>>>>> op=delete-equal %s ftype=%s" %
>>>>> (audit.audit_encode_nv_string("tglob", target, 0),
>>>>> ftype_to_audit[ftype])) +
>>>>> self.mylog.log_change("resrc=fcontext op=delete-equal %s" %
>>>>> (audit.audit_encode_nv_string("tglob", target, 0)))
>>>>>
>>>>> return
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________ Selinux mailing
>>>> list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to
>>>> Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing
>>>> "help" to Selinux-request@xxxxxxxxxxxxx.
>>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@xxxxxxxxxxxxx
>>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>>> To get help, send an email containing "help" to
>>> Selinux-request@xxxxxxxxxxxxx.
>>>
>>
>>
>>
>> --
>> Miroslav Vadkerti :: Senior QE / RHCSS :: BaseOS QE Security
>> IRC mvadkert #qe #urt #brno #rpmdiff :: GPG 0x25881087
>> Desk Phone +420 532 294 129 :: Mobile +420 773 944 252
>> Red Hat Czech s.r.o, Purkyňova 99/71, 612 00, Brno, CR
>>
>>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
