于 14-4-4 下午2:57, Pascal Ouyang 写道:
于 14-4-4 上午3:20, Joe MacDonald 写道:
Hey Wenzong,
I merged two of these four.
[[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and
some updates] On 14.03.24 (Mon 21:07) wenzong....@windriver.com wrote:
From: Wenzong Fan <wenzong....@windriver.com>
Changes:
* backport tmpfs_t patch from upstream;
* add rules for /var/log symlink on poky;
These both went in. These:
* add targeted policy type
* add minimum targeted policy
I'm less clear on. They both look like significant changes to
refpolicy-* behaviour, which is fine, but in that case I think it'd be
better to give them a different name. Or one that differentiates them
significantly. For example the "minimum" policy has users unconfined
and applications confined? Or neither? I'm not sure what the value is
of these.
If they really are just specialized versions of the standard reference
policy, they should at least be ported to use the refpolicy_common
infrastructure Phil set up a while back.
Hi Joe&Wenzong,
According to the origin design, both policy types are targeted policies.
For targeted policies,
* Users will login into shells on unconfined domain.
* For applications with no policy module or with policy module disabled,
they will also run on unconfined domain.
* For applications "targeted", they would have policy module enabled,
with rules to do domtrans from unconfined/init* domain to their own domain.
The result will be:
- standard/mls :
un-ruled applications(usually bin_t) will run on unconfined domain,
so operations will *not* be blocked.
s#standard/mls#targeted/minimum#
- targeted/minimum
un-ruled applications will run on user's current domain, such as
user_t,sysadm_t, so most privileged operations will be blocked.
s#targeted/minimum#standard/mls#
:-;
- Pascal
Difference between refpolicy-minium&refpolicy-targeted
* refpolicy-minium = targeted policy with only core policies
It should just be used for admins to defined their own policy.
For example, a httpd server could just use refpolicy-minium + httpd
module. Actually, I have thought to use refpolicy-targeted-minium as its
name, but not in the end.
* refpolicy-targeted = targeted policy with all 300+ modules
Thanks. :)
- Pascal
Thanks,
-J.
The following changes since commit
a6079a43719e79e12a57e609923a0cccdba06916:
refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
Wenzong Fan (4):
refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
systems
refpolicy: add rules for /var/log symlink on poky
refpolicy: add targeted policy type
refpolicy: add minimum targeted policy
...associate-tmpfs_t-shm-to-device_t-devtmpf.patch | 30 +++
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 +++
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++
.../refpolicy/refpolicy-minimum_2.20130424.bb | 46 +++++
...olicy-fix-optional-issue-on-sysadm-module.patch | 60 ++++++
.../refpolicy-unconfined_u-default-user.patch | 198
++++++++++++++++++++
.../refpolicy/refpolicy-targeted_2.20130424.bb | 18 ++
.../refpolicy/refpolicy_2.20130424.inc | 3 +
8 files changed, 414 insertions(+)
create mode 100644
recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
create mode 100644
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
create mode 100644
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
create mode 100644
recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
create mode 100644
recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
create mode 100644
recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
create mode 100644
recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
--
- Pascal
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
