Hey guys, Sorry about the delayed response on these, I merged them today with a minor update to the targeted description based on the explanation below.
Thanks, -J. [Re: [yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates] On 14.04.04 (Fri 15:57) Pascal Ouyang wrote: > 于 14-4-4 下午2:57, Pascal Ouyang 写道: > >于 14-4-4 上午3:20, Joe MacDonald 写道: > >>Hey Wenzong, > >> > >>I merged two of these four. > >> > >>[[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and > >>some updates] On 14.03.24 (Mon 21:07) wenzong....@windriver.com wrote: > >> > >>>From: Wenzong Fan <wenzong....@windriver.com> > >>> > >>>Changes: > >>>* backport tmpfs_t patch from upstream; > >>>* add rules for /var/log symlink on poky; > >> > >>These both went in. These: > >> > >>>* add targeted policy type > >>>* add minimum targeted policy > >> > >>I'm less clear on. They both look like significant changes to > >>refpolicy-* behaviour, which is fine, but in that case I think it'd be > >>better to give them a different name. Or one that differentiates them > >>significantly. For example the "minimum" policy has users unconfined > >>and applications confined? Or neither? I'm not sure what the value is > >>of these. > >> > >>If they really are just specialized versions of the standard reference > >>policy, they should at least be ported to use the refpolicy_common > >>infrastructure Phil set up a while back. > > > >Hi Joe&Wenzong, > > > >According to the origin design, both policy types are targeted policies. > > > >For targeted policies, > >* Users will login into shells on unconfined domain. > >* For applications with no policy module or with policy module disabled, > >they will also run on unconfined domain. > >* For applications "targeted", they would have policy module enabled, > >with rules to do domtrans from unconfined/init* domain to their own domain. > > > >The result will be: > >- standard/mls : > > un-ruled applications(usually bin_t) will run on unconfined domain, > >so operations will *not* be blocked. > > s#standard/mls#targeted/minimum# > > >- targeted/minimum > > un-ruled applications will run on user's current domain, such as > >user_t,sysadm_t, so most privileged operations will be blocked. > > > > s#targeted/minimum#standard/mls# > > :-; > > - Pascal > > > > >Difference between refpolicy-minium&refpolicy-targeted > >* refpolicy-minium = targeted policy with only core policies > > It should just be used for admins to defined their own policy. > > For example, a httpd server could just use refpolicy-minium + httpd > >module. Actually, I have thought to use refpolicy-targeted-minium as its > >name, but not in the end. > >* refpolicy-targeted = targeted policy with all 300+ modules > > > >Thanks. :) > > > >- Pascal > > > >> > >>Thanks, > >>-J. > >> > >>> > >>>The following changes since commit > >>>a6079a43719e79e12a57e609923a0cccdba06916: > >>> > >>> refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500) > >>> > >>>are available in the git repository at: > >>> > >>> git://git.pokylinux.org/poky-contrib wenzong/ref-minimum > >>> > >>>http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum > >>> > >>> > >>>Wenzong Fan (4): > >>> refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file > >>> systems > >>> refpolicy: add rules for /var/log symlink on poky > >>> refpolicy: add targeted policy type > >>> refpolicy: add minimum targeted policy > >>> > >>> ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch | 30 +++ > >>> ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 +++ > >>> ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++ > >>> .../refpolicy/refpolicy-minimum_2.20130424.bb | 46 +++++ > >>> ...olicy-fix-optional-issue-on-sysadm-module.patch | 60 ++++++ > >>> .../refpolicy-unconfined_u-default-user.patch | 198 > >>>++++++++++++++++++++ > >>> .../refpolicy/refpolicy-targeted_2.20130424.bb | 18 ++ > >>> .../refpolicy/refpolicy_2.20130424.inc | 3 + > >>> 8 files changed, 414 insertions(+) > >>> create mode 100644 > >>>recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch > >>> > >>> create mode 100644 > >>>recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch > >>> > >>> create mode 100644 > >>>recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch > >>> > >>> create mode 100644 > >>>recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb > >>> create mode 100644 > >>>recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch > >>> > >>> create mode 100644 > >>>recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch > >>> > >>> create mode 100644 > >>>recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb > >>> > > > > > > -- -Joe MacDonald. :wq
signature.asc
Description: Digital signature
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto