[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 Mattia Verga changed: What|Removed |Added Status|POST|CLOSED Resolution|---

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #37 from dac.overr...@gmail.com --- The number of hard dependency are a bit excessive in my view. clever use (or better said lack of use) of rpm macros should allow one to drop the dependency on policyvoreutils-python-utils, and

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #36 from Yunying Sun --- (In reply to dac.override from comment #35) > This packaging causes issues: > > # dnf install tpm2-abrmd > Last metadata expiration check: 0:21:33 ago on Tue 10 Jul 2018 07:31:51 AM > CEST. > Dependencies

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #35 from dac.overr...@gmail.com --- This packaging causes issues: # dnf install tpm2-abrmd Last metadata expiration check: 0:21:33 ago on Tue 10 Jul 2018 07:31:51 AM CEST. Dependencies resolved.

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #34 from Gwyn Ciesla --- (fedscm-admin): The Pagure repository was created at https://src.fedoraproject.org/rpms/tpm2-abrmd-selinux -- You are receiving this mail because: You are on the CC list for the bug. You are always

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 Robert-André Mauchin changed: What|Removed |Added Status|NEW |POST

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #32 from Javier Martinez Canillas --- I've addressed all the issues pointed in the previous comments about the package. The new version is at: Spec URL:

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #31 from Javier Martinez Canillas --- So I finally found some time to work on this, as agreed I went with (b). Following is the pull request for Fedora selinux-policy-contrib repo. Please let me know if I got

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #30 from dac.overr...@gmail.com --- Yes, It would have been less painful if your process did not pass fd's to dbus. That is really something I dislike about dbus. I think I like varlink a lot in that regard. Nevertheless, I agree

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #29 from Javier Martinez Canillas --- Got it. Thanks a lot for your explanations. I think I'll probably go with (b) then. I like the idea of having independent modules for SELinux policies but now I

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #28 from dac.overr...@gmail.com --- The CIL policy language would be a solution to this particular challenge. With the CIL language the interfaces are part of the modules. That means that there are no header packages. The

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #27 from dac.overr...@gmail.com --- Exactly. a. Is in theory the most sane solution I Believe. b. Is probably the most practical solution but that basically ignores modularization c. Would be a short-term solution but is

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #26 from Javier Martinez Canillas --- (In reply to dac.override from comment #25) > Basically the way I see it is that this modularization effort requires that > the headers are alway's installed if policy is

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #25 from dac.overr...@gmail.com --- Basically the way I see it is that this modularization effort requires that the headers are alway's installed if policy is installed. That then means that the various policy-devel packages need

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #24 from dac.overr...@gmail.com --- In other words, you might get into a chicken and egg situation here. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #23 from dac.overr...@gmail.com --- Indeed when the dbus module gets compiled it will be looking for the tabrmd_rw_inherited_unix_stream_sockets() interface that you export in tabrmd.if If it is not there at build-time then it

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #22 from dac.overr...@gmail.com --- Yes.This is not going to work. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #21 from Javier Martinez Canillas --- (In reply to dac.override from comment #20) > So basically you export "tabrmd_rw_inherited_unix_stream_sockets()" in > tabrmd.if and then you call "optional_policy(` >

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #20 from dac.overr...@gmail.com --- So basically you export "tabrmd_rw_inherited_unix_stream_sockets()" in tabrmd.if and then you call "optional_policy(` tabrmd_rw_inherited_unix_stream_sockets(dbusd_system_t) ')" in dbus.te --

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #19 from dac.overr...@gmail.com --- typo's ## ##Use and inherit tabrmd file descriptors. ## ## ## ##Domain allowed access. ## ## # interface(`tabrmd_use_fds',`

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #18 from dac.overr...@gmail.com --- I other words this also demonstrates how the "selinux-policy modularization" effort lacks. Even now you have to ideally add changes to selinux-policy (dbus.te and file_contexts.subs_dist) to get

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #17 from dac.overr...@gmail.com --- Oops i am wrong You should add a tabrmd_rw_inherited_unix_stream_sockets() interface to tabrmd.if and them call that in dbus.if instead ## ##

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #16 from Javier Martinez Canillas --- (In reply to dac.override from comment #15) > it should be clarified because it is questionable. > > If a "system_dbusd_domain" would need this permission then the

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #15 from dac.overr...@gmail.com --- it should be clarified because it is questionable. If a "system_dbusd_domain" would need this permission then the permission would have been enclosed with "system_dbusd_domain()" Looking at

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #14 from Javier Martinez Canillas --- (In reply to dac.override from comment #13) > also this should be investigated reproduced: > > https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L20

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #13 from dac.overr...@gmail.com --- also this should be investigated reproduced: https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L20 Its definitely not "rw_stream_socket_perms", if anything it is

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #12 from Javier Martinez Canillas --- (In reply to dac.override from comment #10) > redundant: > https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L12 > > No i mean that you should

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #11 from dac.overr...@gmail.com --- redudant: https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L18 the system_dbusd_t type is already enclosed with "dbus_system_domain()", no need to "import" it again with

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #10 from dac.overr...@gmail.com --- redundant: https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L12 No i mean that you should probably populate that file with at least a minimal set of interfaces to interface

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #9 from Javier Martinez Canillas --- (In reply to dac.override from comment #4) > tpm2-abrmd-1.2.0/selinux/tabrmd.te: > > allow tabrmd_t self:unix_dgram_socket { create_socket_perms }; > > redundant:

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #8 from Javier Martinez Canillas --- (In reply to Robert-André Mauchin from comment #3) > - Add the LICENSE file with %license in %install > > - Own these directories: > > [!]: Package must own all

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #7 from Javier Martinez Canillas --- (In reply to Robert-André Mauchin from comment #2) > Thanks Lukas, I'm not a SELinux specialist so I didn't take this package, > I''ll finish the review now. > Thanks a

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #6 from dac.overr...@gmail.com --- https://raw.githubusercontent.com/martinezjavier/tpm2-abrmd-selinux/master/tpm2-abrmd-selinux.spec Excuse me but I believe that this spec is wrong: The tabrmd.if file should be installed

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #5 from dac.overr...@gmail.com --- tabrmd.fc: arguably a bug in selinux-policy: /usr/local/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0) ideally an entry should be added to:

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 dac.overr...@gmail.com changed: What|Removed |Added CC||dac.overr...@gmail.com ---

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #3 from Robert-André Mauchin --- - Add the LICENSE file with %license in %install - Own these directories: [!]: Package must own all directories that it creates. Note: Directories without known owners:

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 Robert-André Mauchin changed: What|Removed |Added CC|

[Bug 1550595] Review Request: tpm2-abrmd-selinux - SELinux policies for tpm2-abrmd

https://bugzilla.redhat.com/show_bug.cgi?id=1550595 --- Comment #1 from Lukas Vrabec --- Hi All, I reviewed SELinux security policy for tpm2-abrmd and both spec file and policy looks good to me, it reflects IndependentPolicy guidelines. Thanks, Lukas. -- You are