https://bugzilla.redhat.com/show_bug.cgi?id=1550595
Mattia Verga changed:
What|Removed |Added
Status|POST|CLOSED
Resolution|---
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #37 from dac.overr...@gmail.com ---
The number of hard dependency are a bit excessive in my view.
clever use (or better said lack of use) of rpm macros should allow one to drop
the dependency on policyvoreutils-python-utils, and
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #36 from Yunying Sun ---
(In reply to dac.override from comment #35)
> This packaging causes issues:
>
> # dnf install tpm2-abrmd
> Last metadata expiration check: 0:21:33 ago on Tue 10 Jul 2018 07:31:51 AM
> CEST.
> Dependencies
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #35 from dac.overr...@gmail.com ---
This packaging causes issues:
# dnf install tpm2-abrmd
Last metadata expiration check: 0:21:33 ago on Tue 10 Jul 2018 07:31:51 AM
CEST.
Dependencies resolved.
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #34 from Gwyn Ciesla ---
(fedscm-admin): The Pagure repository was created at
https://src.fedoraproject.org/rpms/tpm2-abrmd-selinux
--
You are receiving this mail because:
You are on the CC list for the bug.
You are always
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
Robert-André Mauchin changed:
What|Removed |Added
Status|NEW |POST
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #32 from Javier Martinez Canillas ---
I've addressed all the issues pointed in the previous comments about the
package. The new version is at:
Spec URL:
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #31 from Javier Martinez Canillas ---
So I finally found some time to work on this, as agreed I went with (b).
Following is the pull request for Fedora selinux-policy-contrib repo. Please
let me know if I got
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #30 from dac.overr...@gmail.com ---
Yes, It would have been less painful if your process did not pass fd's to dbus.
That is really something I dislike about dbus. I think I like varlink a lot in
that regard.
Nevertheless, I agree
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #29 from Javier Martinez Canillas ---
Got it. Thanks a lot for your explanations.
I think I'll probably go with (b) then. I like the idea of having independent
modules for SELinux policies but now I
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #28 from dac.overr...@gmail.com ---
The CIL policy language would be a solution to this particular challenge. With
the CIL language the interfaces are part of the modules. That means that there
are no header packages. The
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #27 from dac.overr...@gmail.com ---
Exactly.
a. Is in theory the most sane solution I Believe.
b. Is probably the most practical solution but that basically ignores
modularization
c. Would be a short-term solution but is
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #26 from Javier Martinez Canillas ---
(In reply to dac.override from comment #25)
> Basically the way I see it is that this modularization effort requires that
> the headers are alway's installed if policy is
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #25 from dac.overr...@gmail.com ---
Basically the way I see it is that this modularization effort requires that the
headers are alway's installed if policy is installed. That then means that the
various policy-devel packages need
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #24 from dac.overr...@gmail.com ---
In other words, you might get into a chicken and egg situation here.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #23 from dac.overr...@gmail.com ---
Indeed when the dbus module gets compiled it will be looking for the
tabrmd_rw_inherited_unix_stream_sockets() interface that you export in
tabrmd.if
If it is not there at build-time then it
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #22 from dac.overr...@gmail.com ---
Yes.This is not going to work.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #21 from Javier Martinez Canillas ---
(In reply to dac.override from comment #20)
> So basically you export "tabrmd_rw_inherited_unix_stream_sockets()" in
> tabrmd.if and then you call "optional_policy(`
>
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #20 from dac.overr...@gmail.com ---
So basically you export "tabrmd_rw_inherited_unix_stream_sockets()" in
tabrmd.if and then you call "optional_policy(`
tabrmd_rw_inherited_unix_stream_sockets(dbusd_system_t) ')" in dbus.te
--
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #19 from dac.overr...@gmail.com ---
typo's
##
##Use and inherit tabrmd file descriptors.
##
##
##
##Domain allowed access.
##
##
#
interface(`tabrmd_use_fds',`
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #18 from dac.overr...@gmail.com ---
I other words this also demonstrates how the "selinux-policy modularization"
effort lacks. Even now you have to ideally add changes to selinux-policy
(dbus.te and file_contexts.subs_dist) to get
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #17 from dac.overr...@gmail.com ---
Oops i am wrong
You should add a tabrmd_rw_inherited_unix_stream_sockets() interface to
tabrmd.if
and them call that in dbus.if instead
##
##
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #16 from Javier Martinez Canillas ---
(In reply to dac.override from comment #15)
> it should be clarified because it is questionable.
>
> If a "system_dbusd_domain" would need this permission then the
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #15 from dac.overr...@gmail.com ---
it should be clarified because it is questionable.
If a "system_dbusd_domain" would need this permission then the permission would
have been enclosed with "system_dbusd_domain()"
Looking at
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #14 from Javier Martinez Canillas ---
(In reply to dac.override from comment #13)
> also this should be investigated reproduced:
>
> https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L20
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #13 from dac.overr...@gmail.com ---
also this should be investigated reproduced:
https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L20
Its definitely not "rw_stream_socket_perms", if anything it is
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #12 from Javier Martinez Canillas ---
(In reply to dac.override from comment #10)
> redundant:
> https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L12
>
> No i mean that you should
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #11 from dac.overr...@gmail.com ---
redudant:
https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L18
the system_dbusd_t type is already enclosed with "dbus_system_domain()", no
need to "import" it again with
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #10 from dac.overr...@gmail.com ---
redundant:
https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L12
No i mean that you should probably populate that file with at least a minimal
set of interfaces to interface
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #9 from Javier Martinez Canillas ---
(In reply to dac.override from comment #4)
> tpm2-abrmd-1.2.0/selinux/tabrmd.te:
>
> allow tabrmd_t self:unix_dgram_socket { create_socket_perms };
>
> redundant:
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #8 from Javier Martinez Canillas ---
(In reply to Robert-André Mauchin from comment #3)
> - Add the LICENSE file with %license in %install
>
> - Own these directories:
>
> [!]: Package must own all
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #7 from Javier Martinez Canillas ---
(In reply to Robert-André Mauchin from comment #2)
> Thanks Lukas, I'm not a SELinux specialist so I didn't take this package,
> I''ll finish the review now.
>
Thanks a
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #6 from dac.overr...@gmail.com ---
https://raw.githubusercontent.com/martinezjavier/tpm2-abrmd-selinux/master/tpm2-abrmd-selinux.spec
Excuse me but I believe that this spec is wrong:
The tabrmd.if file should be installed
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #5 from dac.overr...@gmail.com ---
tabrmd.fc: arguably a bug in selinux-policy:
/usr/local/sbin/tpm2-abrmd --
gen_context(system_u:object_r:tabrmd_exec_t,s0)
ideally an entry should be added to:
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
dac.overr...@gmail.com changed:
What|Removed |Added
CC||dac.overr...@gmail.com
---
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #3 from Robert-André Mauchin ---
- Add the LICENSE file with %license in %install
- Own these directories:
[!]: Package must own all directories that it creates.
Note: Directories without known owners:
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
Robert-André Mauchin changed:
What|Removed |Added
CC|
https://bugzilla.redhat.com/show_bug.cgi?id=1550595
--- Comment #1 from Lukas Vrabec ---
Hi All,
I reviewed SELinux security policy for tpm2-abrmd and both spec file and
policy looks good to me, it reflects IndependentPolicy guidelines.
Thanks,
Lukas.
--
You are
38 matches
Mail list logo