On Mon, Feb 12, 2007 at 11:53:49AM -0500, Daniel J Walsh wrote: > Linda Knippers wrote: > >I see that this verison of the ks rpm still has alot of stuff in the > >lspp policy module (attached for those not using the rpm). Some of > >the policy changes reference bugzillas but not all of them. > > > >Has Dan pulled these changes into the mls policy?
Dan, thanks for reviewing them. I'll delete the obsolete parts, more below about the changes that are still needed. > ># Fix proposed to RH 2006-12-18: > ># > >https://enterprise.redhat.com/issue-tracker/?module=issues&action=view&tid=107824 > ># https://bugzilla.linux.ibm.com/show_bug.cgi?id=29661 > >gen_require(` > > type ftpd_t; > >') > >auth_rw_faillog(ftpd_t) > > > auth_append_faillog is the current policy does it need auth_rw_faillog? I tried without the additional rule and it didn't work. If I understand the mechanism correctly, the /var/log/tallylog file is accessed by seeking to a position based on the numerical UID, so it needs full read/write access. I updated one of the bugs where this was discussed, but could not reopen it due to lack of permissions. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220085 > ># https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220487 > > > >### sshd ################################################## > > > >gen_require(` > > type sshd_t, unlabeled_t, staff_ssh_t, user_ssh_t, port_t; > >') > >kernel_tcp_recvfrom_unlabeled(sshd_t) > >kernel_tcp_recvfrom_unlabeled(staff_ssh_t) > >kernel_tcp_recvfrom_unlabeled(user_ssh_t) > >allow staff_ssh_t port_t:tcp_socket name_connect; > >allow user_ssh_t port_t:tcp_socket name_connect; > > > > > Not sure how we should handle this. This isn't needed anymore with current policy. I'm adding the following to the config script to assign ssh_port_t to port 222: semanage port -a -t ssh_port_t -p tcp 222 -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
