ttps://github.com/intrajp/irforum_jp
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help"
On Fri, Sep 14, 2018 at 04:18:29PM -0500, Ted Toth wrote:
> On Wed, Sep 12, 2018 at 9:57 AM Ted Toth wrote:
>
> >
> >
> > On Wed, Sep 12, 2018 at 9:36 AM Dominick Grift
> > wrote:
> >
> >> On Wed, Sep 12, 2018 at 09:57:20AM -0400, Stephen Smalley w
thub.com/DefenSec/dssp2-standard/commits/master
DSSP2 does not support enforcement of confidentiality though
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selin
x-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Descrip
On Thu, Jul 19, 2018 at 07:54:22PM +0200, Lukas Vrabec via refpolicy wrote:
> On 07/19/2018 07:47 PM, Dominick Grift wrote:
> > On Thu, Jul 19, 2018 at 07:42:53PM +0200, Lukas Vrabec via refpolicy wrote:
> >> On 07/19/2018 06:51 PM, Dominick Grift via refpolicy wrote:
> >
On Thu, Jul 19, 2018 at 07:42:53PM +0200, Lukas Vrabec via refpolicy wrote:
> On 07/19/2018 06:51 PM, Dominick Grift via refpolicy wrote:
> > On Thu, Jul 19, 2018 at 06:40:25PM +0200, Dominick Grift wrote:
> >> On Thu, Jul 19, 2018 at 06:17:46PM +0200, Lukas Vrabec via refpoli
On Thu, Jul 19, 2018 at 06:40:25PM +0200, Dominick Grift wrote:
> On Thu, Jul 19, 2018 at 06:17:46PM +0200, Lukas Vrabec via refpolicy wrote:
> > Hi All,
> >
> > I found one thing in refpolicy which I don't completely understand.
> >
> > In "policy/support/
licy mailing list
> refpol...@oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP sign
n email containing "help" to selinux-requ...@tycho.nsa.gov.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Fri, May 04, 2018 at 09:36:12AM -0400, Stephen Smalley wrote:
> On 05/04/2018 09:26 AM, Dominick Grift wrote:
> > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote:
> >> On 05/04/2018 03:55 AM, Jason Zaman wrote:
> >>> On Thu, May 03, 2018 at 10:
t;> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
> >>
> >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
> >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
> >> Makef
On Fri, May 04, 2018 at 09:09:20AM -0400, Stephen Smalley wrote:
> On 05/04/2018 08:19 AM, Dominick Grift wrote:
> > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
> >> Hi,
> >>
> >> If you have encountered any unreported problems with th
ted PyGI library. This means that selinux-gui now
> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
> requires PyGtk or Python 2.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
rt_t:tcp_socket name_connect;
I think it should be possible to control egress/ingress on labeled interfaces
>
> --
> Regards,
> Troels Arvin
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Mon, Apr 09, 2018 at 01:41:12PM +0200, Lukas Vrabec wrote:
> On 04/09/2018 10:41 AM, Dominick Grift wrote:
> > On Mon, Apr 09, 2018 at 09:55:23AM +0200, Dominick Grift wrote:
> >> On Sun, Apr 08, 2018 at 11:00:53PM +0200, Lukas Vrabec wrote:
> >>> Hi All,
> >
On Mon, Apr 09, 2018 at 09:55:23AM +0200, Dominick Grift wrote:
> On Sun, Apr 08, 2018 at 11:00:53PM +0200, Lukas Vrabec wrote:
> > Hi All,
> >
> > I'm reading "SELINUX COMMON INTERMEDIATE LANGUAGE MOTIVATION AND DESIGN"
> > wiki page [1] and I'm interest
> Lukas.
>
>
> [1] https://github.com/SELinuxProject/cil/wiki
>
> --
> Lukas Vrabec
> Software Engineer, Security Technologies
> Red Hat, Inc.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
access_check:
https://github.com/bus1/dbus-broker/issues/16
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Wed, Feb 28, 2018 at 10:27:08AM +0100, Dominick Grift wrote:
> Since Linux 4.16 (to atleast RC2) user space started to excessively trigger
> cap_sys_module
>
> Here is one example of such and event:
>
> type=SYSCALL msg=audit(02/27/2018 08:06:40.017:74) : arch=x86_64
>
02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
Signed-off-by: Dominick Grift <dac.overr...@gmail.com>
---
secilc/secilc.8.xml | 5 +
1 file changed, 5 insertions(+)
diff --git a/secilc/secilc.8.xml b/secilc/secilc.8.xml
index 4c779b64..e08a9624 100644
--- a/secilc/secilc.8.xml
+++ b/secilc/secilc.8.xml
@@ -75,6
On Wed, Jan 31, 2018 at 09:56:56PM +0100, Dominick Grift wrote:
> I have a template (blockabstract): foo.bar.template
>
> in another module i want to inherit that like this:
>
> (in foo
> (block baz
> (blockinherit bar.template)))
>
> This does not seem to
/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Fri, Jan 19, 2018 at 11:43:33AM +0100, Dominick Grift wrote:
> On Fri, Jan 19, 2018 at 11:34:37AM +0100, Dominick Grift wrote:
> > On Fri, Jan 19, 2018 at 11:19:51AM +0100, Dominick Grift wrote:
> > > The default_type functionality is too limited because it assumes tha
On Fri, Jan 19, 2018 at 11:34:37AM +0100, Dominick Grift wrote:
> On Fri, Jan 19, 2018 at 11:19:51AM +0100, Dominick Grift wrote:
> > The default_type functionality is too limited because it assumes that all
> > login programs associate the same type wi
On Fri, Jan 19, 2018 at 11:19:51AM +0100, Dominick Grift wrote:
> The default_type functionality is too limited because it assumes that all
> login programs associate the same type with a given role
>
> This is not the case
>
> For example:
>
> default_type for local_
5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
change it to restore? Per the man page, restore is to
> > > > temporarily restore the contexts and would be a separate entry in
> > > > the
> > > > PAM stack before the module that needs the original contexts,
> > > > followed
> > > > by
> >
> >
> >
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
t; > > >
> > > > > >
> > > > > > > system_r unconfined_r
> > > > > > > unconfined_uuser s0 s0-s0:c0.c1023
> > > >
> > > > > >
> > > > > > > system_r unconfined_r
> > > > > > > user_u user s0 s0
> > > >
> > > > > >
> > > > > > > user_r
> > > > > > > xguest_uuser s0 s0
> > > >
> > > > > >
> > > > > > > xguest_r
> > > > > > >
> > > > > > >
> > > > > > > Looks like its related to some other issue. What you think
> > > > about
> > > > > > > this.
> > > > > >
> > > > > > Do you have any relevant error messages in /var/log/secure or
> > > > > > journalctl -rb? Look for anything that refers to selinux or
> > > > > > context.
> > > > > >
> > > > > > I'm guessing that pam_selinux is unable to determine a valid
> > > > > > context
> > > > > > for your login for some reason, and this is causing it to fall
> > > > back
> > > > > > to
> > > > > > this one. Or something like that.
> > > > > >
> > > > > > You could try to emulate this process via selinuxdefcon,
> > > > although
> > > > > > I'm
> > > > > > not sure how closely it matches pam_selinux anymore. Sample
> > > > usage:
> > > > > >
> > > > > > 1. See what context sshd is running in.
> > > > > >
> > > > > > ps -eZ | grep sshd
> > > > > >
> > > > > > It should be:
> > > > > > system_u:system_r:sshd_t:s0-s0:c0.c1023
> > > > > >
> > > > > > 2. Run selinuxdefcon to compute the default context for root
> > > > when
> > > > > > logging in from sshd:
> > > > > >
> > > > > > # Second argument should be whatever was shown by ps -eZ | grep
> > > > > > sshd
> > > > > > above.
> > > > > > selinuxdefcon root system_u:system_r:sshd_t:s0-s0.c0123
> > > > > >
> > > > > > It should be:
> > > > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Thanks
> > > > > Aman
> > > > > Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com
> > > >
> > >
> > >
> > >
> > > --
> > >
> > > Thanks
> > > Aman
> > > Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com
> >
>
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
an -D
> > > >
> > > > Or you could be drastic and completely reset your policy:
> > > > mv /etc/selinux/targeted /etc/selinux/targeted.old
> > > > yum reinstall selinux-policy-targeted
> > > >
> > >
> > >
> > >
sh_sysadm_login --> on
Thanks. That means I was wrong.
>
>
> On Wed, Nov 29, 2017 at 1:52 PM, Dominick Grift <dac.overr...@gmail.com>
> wrote:
>
> > On Wed, Nov 29, 2017 at 09:33:31AM +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
>
dm_u s0-s0:c0.c1023 *
> > > sftpuser specialuser_us0 *
> > > system_u sysadm_u s0-s0:c0.c1023 *
> > >
> > >
> > > Can anybody Please help me.
> >
> > What is your sestatus -v output? How are you logging in (console, gdm,
> > ssh, ...)?
> >
> > You don't appear to be running the default policy, or if you are,
> > someone has heavily customized your user and login mappings.
> >
> >
> >
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Tue, Sep 12, 2017 at 12:01:35PM -0400, Stephen Smalley wrote:
> On Sep 12, 2017 7:01 AM, "Dominick Grift" <dac.overr...@gmail.com> wrote:
>
> I have extended socket class polcap enabled but i am still seeing "socket"
> class events and i was wondering wh
6040 scontext=wheel.id:sysadm.role:nethogs.subj:s0
tcontext=wheel.id:sysadm.role:nethogs.subj:s0 tclass=packet_socket permissive=0
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Thu, Sep 07, 2017 at 04:30:36PM +0200, Dominick Grift wrote:
> On Thu, Sep 07, 2017 at 03:56:36PM +0200, Dominick Grift wrote:
> > On Thu, Sep 07, 2017 at 03:50:02PM +0200, Dominick Grift wrote:
> > > On Thu, Sep 07, 2017 at 03:30:47PM +0200, Dominick Grift wrote:
> >
On Thu, Sep 07, 2017 at 03:56:36PM +0200, Dominick Grift wrote:
> On Thu, Sep 07, 2017 at 03:50:02PM +0200, Dominick Grift wrote:
> > On Thu, Sep 07, 2017 at 03:30:47PM +0200, Dominick Grift wrote:
> > > On Thu, Sep 07, 2017 at 03:22:42PM +0200, Dominick Grift wrote:
> >
On Thu, Sep 07, 2017 at 03:50:02PM +0200, Dominick Grift wrote:
> On Thu, Sep 07, 2017 at 03:30:47PM +0200, Dominick Grift wrote:
> > On Thu, Sep 07, 2017 at 03:22:42PM +0200, Dominick Grift wrote:
> > > On Thu, Sep 07, 2017 at 08:55:23AM -0400, Stephen Smalley wrote:
> >
On Thu, Sep 07, 2017 at 03:30:47PM +0200, Dominick Grift wrote:
> On Thu, Sep 07, 2017 at 03:22:42PM +0200, Dominick Grift wrote:
> > On Thu, Sep 07, 2017 at 08:55:23AM -0400, Stephen Smalley wrote:
> > > On Thu, 2017-09-07 at 11:05 +0200, Dominick Grift wrote:
> > >
On Thu, Sep 07, 2017 at 03:22:42PM +0200, Dominick Grift wrote:
> On Thu, Sep 07, 2017 at 08:55:23AM -0400, Stephen Smalley wrote:
> > On Thu, 2017-09-07 at 11:05 +0200, Dominick Grift wrote:
> > > pam_selinux requirements are generally pretty simple: its used to
> &g
On Thu, Sep 07, 2017 at 08:55:23AM -0400, Stephen Smalley wrote:
> On Thu, 2017-09-07 at 11:05 +0200, Dominick Grift wrote:
> > pam_selinux requirements are generally pretty simple: its used to
> > associate a context with a login shell.
> >
> > With systemd thi
2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
ttps://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
proc
> > tree
> > as in the /proc/net -> /proc/self/net example.
> > This does not alter labeling of symlinks within /proc/pid
> > directories.
> > ls -Zd /proc/net output before and after the patch should show
> > the
> > differenc
> > e.
> >
> > Signed-off-by: Stephen D. Smalley <s...@tycho.nsa.gov>
> > Signed-off-by: James Morris <jmor...@namei.org>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
s will leverage the
> saved linked policy.
>
> * libsemanage no longer depends on ustr.
>
> * libselinux/utils Makefile now uses SBINDIR instead of USRBINDIR.
>
> * mcstrans/utils Makefile now uses SBINDIR instead of BINDIR.
>
> * Some packages (libselinux, checkpolicy, sel
On Wed, Aug 02, 2017 at 06:35:00PM +0200, Dominick Grift wrote:
> On Wed, Aug 02, 2017 at 04:41:00PM +0100, Carlos Rodrigues wrote:
> > Hi,
> >
> > I don't know if this a too basic question to ask here, or the proper
> > place, but here it goes:
> >
> &
On Wed, Aug 02, 2017 at 02:59:34PM -0400, Stephen Smalley wrote:
> On Wed, 2017-08-02 at 18:35 +0200, Dominick Grift wrote:
> > On Wed, Aug 02, 2017 at 04:41:00PM +0100, Carlos Rodrigues wrote:
> > > Hi,
> > >
> > > I don't know if this a too basic quest
ting up reverse proxies for "http_port_t" upstreams on CentOS
> all this time...
I think the "httpd_graceful_shutdown" is an apache thing (probably for
"apachectl graceful-stop"). However I cannot reproduce this behavior with
httpd-2.4.27-4.fc27.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Thu, Jul 20, 2017 at 09:04:18AM -0400, Stephen Smalley wrote:
> On Wed, 2017-07-19 at 21:17 -0400, Chris PeBenito wrote:
> > On 07/19/2017 05:31 PM, Dominick Grift wrote:
> > > On Wed, Jul 19, 2017 at 10:49:46PM +0200, Dominick Grift wrote:
> > > > On Wed, Ju
On Wed, Jul 19, 2017 at 10:49:46PM +0200, Dominick Grift wrote:
> On Wed, Jul 19, 2017 at 09:12:33AM +0200, Dominick Grift wrote:
> > On Tue, Jul 18, 2017 at 09:07:45PM -0400, Chris PeBenito wrote:
> > > On 07/18/2017 05:26 PM, Paul Moore wrote:
> > > > On Tue, Ju
On Wed, Jul 19, 2017 at 09:12:33AM +0200, Dominick Grift wrote:
> On Tue, Jul 18, 2017 at 09:07:45PM -0400, Chris PeBenito wrote:
> > On 07/18/2017 05:26 PM, Paul Moore wrote:
> > > On Tue, Jul 18, 2017 at 3:20 PM, Stephen Smalley <s...@tycho.nsa.gov>
> > > wrote:
On Thu, Jul 13, 2017 at 07:55:14PM -0400, Chris PeBenito wrote:
> On 07/13/2017 04:11 PM, Dominick Grift wrote:
> > On Thu, Jul 13, 2017 at 03:59:29PM -0400, Stephen Smalley wrote:
> > > On Thu, 2017-07-13 at 21:43 +0200, Dominick Grift wrote:
> > > > On Thu, Ju
On Thu, Jul 13, 2017 at 03:59:29PM -0400, Stephen Smalley wrote:
> On Thu, 2017-07-13 at 21:43 +0200, Dominick Grift wrote:
> > On Thu, Jul 13, 2017 at 09:28:43PM +0200, Dominick Grift wrote:
> > > On Thu, Jul 13, 2017 at 03:29:56PM -0400, Stephen Smalley wrote:
> > > &g
On Thu, Jul 13, 2017 at 03:29:56PM -0400, Stephen Smalley wrote:
> On Thu, 2017-07-13 at 20:16 +0200, Dominick Grift wrote:
> > On Thu, Jul 13, 2017 at 02:13:40PM -0400, Stephen Smalley wrote:
> > > On Thu, 2017-07-13 at 18:55 +0200, Dominick Grift wrote:
> > > > On T
On Thu, Jul 13, 2017 at 08:16:14PM +0200, Dominick Grift wrote:
> On Thu, Jul 13, 2017 at 02:13:40PM -0400, Stephen Smalley wrote:
> > On Thu, 2017-07-13 at 18:55 +0200, Dominick Grift wrote:
> > > On Thu, Jul 13, 2017 at 11:59:55AM -0400, Stephen Smalley wrote:
> > > &g
On Thu, Jul 13, 2017 at 09:28:43PM +0200, Dominick Grift wrote:
> On Thu, Jul 13, 2017 at 03:29:56PM -0400, Stephen Smalley wrote:
> > On Thu, 2017-07-13 at 20:16 +0200, Dominick Grift wrote:
> > > On Thu, Jul 13, 2017 at 02:13:40PM -0400, Stephen Smalley wrote:
> > > &g
On Thu, Jul 13, 2017 at 02:13:40PM -0400, Stephen Smalley wrote:
> On Thu, 2017-07-13 at 18:55 +0200, Dominick Grift wrote:
> > On Thu, Jul 13, 2017 at 11:59:55AM -0400, Stephen Smalley wrote:
> > > On Thu, 2017-07-13 at 11:48 -0400, Stephen Smalley wrote:
> > > > On
on the matter
>
> >
> > On a separate note, I plan to cc luto on the next version of the
> > patch
> > as I suspect he will have concerns about relaxing this constraint on
> > NNP and this likely requires updating
> > Documentation/prctl/no_new_privs*
> > and the man pages that describe NNP behavior.
> >
> > The other model would be to figure out a way to make the typebounds
> > logic work cleanly in a manner that preserves the desired NNP/nosuid
> > invariant _and_ doesn't require leaking unnecessary accesses into the
> > ancestor domains that make them less secure, plus CIL support for
> > automatically propagating permissions in the desired way. But I
> > haven't yet come up with a way to do that. We can do it in some
> > cases
> > by creating typebounds between the object types, e.g.:
> > typebounds parent_t child_t;
> > allow child_t self:process execmem;
> > allow child_t child_exec_t:file entrypoint;
> > allow child_t child_tmp_t:file create;
> > can be allowed via:
> > allow parent_t child_t:process execmem; # an otherwise nonsensical
> > rule
> > typebounds parent_exec_t child_exec_t;
> > typebounds parent_tmp_t child_tmp_t;
> > but this breaks down when there isn't an equivalent type and
> > permission
> > set already allowed to the parent for every type allowed to the
> > child.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Wed, Jul 12, 2017 at 03:38:28PM +0200, Dominick Grift wrote:
> On Wed, Jul 12, 2017 at 03:30:25PM +0200, Dominick Grift wrote:
> > On Wed, Jul 12, 2017 at 09:01:48AM -0400, Stephen Smalley wrote:
> > > On Tue, 2017-07-11 at 22:44 +0200, Dominick Grift wrote:
> > > &
On Wed, Jul 12, 2017 at 03:30:25PM +0200, Dominick Grift wrote:
> On Wed, Jul 12, 2017 at 09:01:48AM -0400, Stephen Smalley wrote:
> > On Tue, 2017-07-11 at 22:44 +0200, Dominick Grift wrote:
> > > On Tue, Jul 11, 2017 at 04:23:29PM -0400, Stephen Smalley wrote:
> > > &g
On Wed, Jul 12, 2017 at 09:01:48AM -0400, Stephen Smalley wrote:
> On Tue, 2017-07-11 at 22:44 +0200, Dominick Grift wrote:
> > On Tue, Jul 11, 2017 at 04:23:29PM -0400, Stephen Smalley wrote:
> > > On Tue, 2017-07-11 at 22:10 +0200, Dominick Grift wrote:
> > > > On T
On Tue, Jul 11, 2017 at 04:23:29PM -0400, Stephen Smalley wrote:
> On Tue, 2017-07-11 at 22:10 +0200, Dominick Grift wrote:
> > On Tue, Jul 11, 2017 at 10:05:36PM +0200, Dominick Grift wrote:
> > > On Tue, Jul 11, 2017 at 03:52:52PM -0400, Stephen Smalley wrote:
> > > &g
On Tue, Jul 11, 2017 at 10:05:36PM +0200, Dominick Grift wrote:
> On Tue, Jul 11, 2017 at 03:52:52PM -0400, Stephen Smalley wrote:
> > On Mon, 2017-07-10 at 16:25 -0400, Stephen Smalley wrote:
> > > As systemd ramps up enabling NoNewPrivileges (either explicitly in
> &
n int selinux_policycap_nnptransition;
> >
> > /*
> > * type_datum properties
> > diff --git a/security/selinux/ss/services.c
> > b/security/selinux/ss/services.c
> > index 2f02fa6..2faf47a 100644
> > --- a/security/selinux/ss/services.c
> > +++ b/security/selinux/ss/services.c
> > @@ -76,7 +76,8 @@ char
> > *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
> > "open_perms",
> > "extended_socket_class",
> > "always_check_network",
> > - "cgroup_seclabel"
> > + "cgroup_seclabel",
> > + "nnp_transition"
> > };
> >
> > int selinux_policycap_netpeer;
> > @@ -84,6 +85,7 @@ int selinux_policycap_openperm;
> > int selinux_policycap_extsockclass;
> > int selinux_policycap_alwaysnetwork;
> > int selinux_policycap_cgroupseclabel;
> > +int selinux_policycap_nnptransition;
> >
> > static DEFINE_RWLOCK(policy_rwlock);
> >
> > @@ -2009,6 +2011,9 @@ static void security_load_policycaps(void)
> > selinux_policycap_cgroupseclabel =
> > ebitmap_get_bit(,
> > POLICYDB_CAPABILITY_CGROUPSECLABEL);
> > + selinux_policycap_nnptransition =
> > + ebitmap_get_bit(,
> > + POLICYDB_CAPABILITY_NNPTRANSITION);
> >
> > for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
> > pr_info("SELinux: policy capability %s=%d\n",
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Mon, Jun 26, 2017 at 03:00:31PM -0400, Stephen Smalley wrote:
> On Mon, 2017-06-26 at 14:24 -0400, Stephen Smalley wrote:
> > On Mon, 2017-06-26 at 19:49 +0200, Dominick Grift wrote:
> > > On Mon, Jun 26, 2017 at 01:41:05PM -0400, Stephen Smalley wrote:
> > > > On
On Mon, Jun 26, 2017 at 01:41:05PM -0400, Stephen Smalley wrote:
> On Mon, 2017-06-26 at 19:20 +0200, Dominick Grift wrote:
> > On Mon, Jun 26, 2017 at 01:22:41PM -0400, Stephen Smalley wrote:
> > > On Mon, 2017-06-26 at 18:45 +0200, Dominick Grift wrote:
> > > > On M
On Mon, Jun 26, 2017 at 01:22:41PM -0400, Stephen Smalley wrote:
> On Mon, 2017-06-26 at 18:45 +0200, Dominick Grift wrote:
> > On Mon, Jun 26, 2017 at 11:50:10AM -0400, Stephen Smalley wrote:
> > > On Mon, 2017-06-26 at 15:26 +0200, Dominick Grift wrote:
> > > > On M
On Mon, Jun 26, 2017 at 11:50:10AM -0400, Stephen Smalley wrote:
> On Mon, 2017-06-26 at 15:26 +0200, Dominick Grift wrote:
> > On Mon, Jun 26, 2017 at 09:08:16AM -0400, Stephen Smalley wrote:
> > > On Sat, 2017-06-24 at 12:20 +0200, Laurent Bigonville wrote:
> > > >
in a strict environment one still might need run_init for
the `update aliases` functionality in redhar-based distributions.. i might be
wrong though
> wasn't required for typical operation (maybe under -mls policy it was
> still needed, not sure). Possibly we should move run_init out of
> policycoreutils into its own subdirectory in the selinux userspace tree
> to reflect this transition and start deprecating it.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Mon, Jun 19, 2017 at 11:45:53AM -0400, Daniel Walsh wrote:
> On 06/16/2017 12:08 PM, Dominick Grift wrote:
> > On Fri, Jun 16, 2017 at 08:21:25AM -0400, Daniel Walsh wrote:
> > > On 06/14/2017 10:47 AM, Dominick Grift wrote:
> > > > On Wed, Jun 14, 2017 at 04:35:41
On Fri, Jun 16, 2017 at 08:21:25AM -0400, Daniel Walsh wrote:
> On 06/14/2017 10:47 AM, Dominick Grift wrote:
> > On Wed, Jun 14, 2017 at 04:35:41PM +0200, Dominick Grift wrote:
> > > On Wed, Jun 14, 2017 at 10:30:25AM -0400, Stephen Smalley wrote:
> > > > On Wed,
t, lists[CIL_LIST_DEFAULT_TYPE],
> CIL_KEY_DEFAULTTYPE);
> + cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_USER],
> "default_usr");
> + cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_ROLE],
> "default_role");
> + cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_TYPE],
> "default_type");
>
> if (db->mls == CIL_TRUE) {
> cil_default_ranges_to_policy(out,
> lists[CIL_LIST_DEFAULT_RANGE]);
> --
> 2.9.4
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Wed, Jun 14, 2017 at 04:35:41PM +0200, Dominick Grift wrote:
> On Wed, Jun 14, 2017 at 10:30:25AM -0400, Stephen Smalley wrote:
> > On Wed, 2017-06-14 at 09:01 -0400, Jan Zarsky wrote:
> > > Hi,
> > >
> > > I would like to improve SELinux audit2allow tool
m/2016/02/collecting-ioctl-command-denials-for.html
> but note that the syntax has changed to e.g.
> allowxperm : ioctl { command values> };
>
> > I would also like to know which feature would you appreciate the
> > most.
>
> You should likely study the tooling and workflow used by other security
> projects, e.g. AppArmor, TOMOYO, grsecurity, for policy learning and
> generation.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
y out of them.
> >* add option to open bugzilla
> >* output to Ansible playbook/role task (add option for this)
> >
> > I would also like to know which feature would you appreciate the most.
> >
> > Thanks
> >
> > Jan Zarsky
> >
>
>
> --
> James Carter <jwca...@tycho.nsa.gov>
> National Security Agency
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Fri, Jun 02, 2017 at 07:12:25AM -0400, Steve Lawrence wrote:
> On 06/02/2017 05:18 AM, Dominick Grift wrote:
> > On Thu, Jun 01, 2017 at 11:37:11PM +0200, Nicolas Iooss wrote:
> >> On Thu, Jun 1, 2017 at 7:05 PM, jwcart2 <jwca...@tycho.nsa.gov> wrote:
> >&g
- struct cil_alias *alias = (struct cil_alias
> >> *)(*datum);
> >> - if (alias->actual) {
> >> - *datum = alias->actual;
> >> - }
> >> - }
> >> - }
> >> -
> >> args->last_resolved_name = name;
> >> return rc;
> >> diff --git a/libsepol/cil/src/cil_resolve_ast.h
> >> b/libsepol/cil/src/cil_resolve_ast.h
> >> index 82c8ea3..1d971fd 100644
> >> --- a/libsepol/cil/src/cil_resolve_ast.h
> >> +++ b/libsepol/cil/src/cil_resolve_ast.h
> >> @@ -99,5 +99,6 @@ int cil_resolve_tunif(struct cil_tree_node *current,
> >> void *extra_args);
> >> int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current);
> >> int cil_resolve_name(struct cil_tree_node *ast_node, char *name, enum
> >> cil_sym_index sym_index, void *extra_args, struct cil_symtab_datum
> >> **datum);
> >> +int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char
> >> *name, enum cil_sym_index sym_index, void *extra_args, struct
> >> cil_symtab_datum **datum);
> >> #endif /* CIL_RESOLVE_AST_H_ */
> >>
> >
> >
> > --
> > James Carter <jwca...@tycho.nsa.gov>
> > National Security Agency
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Thu, May 25, 2017 at 11:40:49AM +0200, Petr Lautrbach wrote:
> On 05/25/2017 07:44 AM, Dominick Grift wrote:
> > On Wed, May 24, 2017 at 04:40:55PM -0400, Stephen Smalley wrote:
> > > On Wed, 2017-05-24 at 16:53 +0200, Dominick Grift wrote:
> > > > On Wed, Ma
On Wed, May 24, 2017 at 04:11:44PM -0400, Stephen Smalley wrote:
> On Wed, 2017-05-24 at 14:08 +0200, Dominick Grift wrote:
> > I was looking again at ioctl whitelisting, and excuse me if I
> > overlooked some documentation, but I am having a hard time
> > implementing this.
On Wed, May 24, 2017 at 04:40:55PM -0400, Stephen Smalley wrote:
> On Wed, 2017-05-24 at 16:53 +0200, Dominick Grift wrote:
> > On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote:
> > > On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote:
> > &g
On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote:
> On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote:
> > For the motivation see
> > https://marc.info/?l=selinux=149435307518336=2
>
> Thanks! I enabled the one with Fedora patches because i
; Petr
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
print = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Mon, May 22, 2017 at 08:23:50PM +0200, Dominick Grift wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > > re
tpd_sys_script_t;
> > type http_port_t;
> > type mysqld_port_t;
> > type rpm_var_cache_t;
> > type kernel_t;
> > class process { setpgid transition };
> > class system module_request;
> > class tcp_socket name_connect;
> > class dir { read search open getattr };
> > class file { open read getattr };
> > }
> >
> > allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> > allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> > allow httpd_t mysqld_port_t:tcp_socket name_connect;
> > allow httpd_sys_script_t self:process setpgid;
> > allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> > allow httpd_sys_script_t kernel_t:system module_request;
> >
> > #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> > op=security_bounded_transition seresult=denied
> > oldcontext=system_u:system_r:httpd_t:s0
> > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> > allow httpd_t httpd_sys_script_t:process transition;
> >
> >
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Mon, May 22, 2017 at 10:16:55AM -0700, Chris O'Neil wrote:
>
>
> On 05/22/2017 09:58 AM, Dominick Grift wrote:
> > On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
> >> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
> >>
> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> allow httpd_t mysqld_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t self:process setpgid;
> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t kernel_t:system module_request;
>
> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> allow httpd_t httpd_sys_script_t:process transition;
>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
On Tue, May 09, 2017 at 06:47:55PM +0200, Dominick Grift wrote:
> On Tue, May 09, 2017 at 06:15:43PM +0200, Dominick Grift wrote:
> > On Tue, May 09, 2017 at 11:21:23AM -0400, Karl MacMillan wrote:
> > >
> > > > On May 8, 2017, at 4:40 PM, Dominick Grift <dac.o
On Tue, May 09, 2017 at 06:15:43PM +0200, Dominick Grift wrote:
> On Tue, May 09, 2017 at 11:21:23AM -0400, Karl MacMillan wrote:
> >
> > > On May 8, 2017, at 4:40 PM, Dominick Grift <dac.overr...@gmail.com> wrote:
> > >
> > > On Mon, May 08, 2017
On Tue, May 09, 2017 at 11:21:23AM -0400, Karl MacMillan wrote:
>
> > On May 8, 2017, at 4:40 PM, Dominick Grift <dac.overr...@gmail.com> wrote:
> >
> > On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote:
> >>
> >>> On May 8, 2017, at
On Mon, May 08, 2017 at 11:47:14PM +0200, Dominick Grift wrote:
> On Mon, May 08, 2017 at 10:40:53PM +0200, Dominick Grift wrote:
> > On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote:
> > >
> > > > On May 8, 2017, at 3:49 PM, Dominick Grift <dac.o
On Mon, May 08, 2017 at 10:40:53PM +0200, Dominick Grift wrote:
> On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote:
> >
> > > On May 8, 2017, at 3:49 PM, Dominick Grift <dac.overr...@gmail.com> wrote:
> > >
> > > On Mon, May 08, 2017
On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote:
>
> > On May 8, 2017, at 3:49 PM, Dominick Grift <dac.overr...@gmail.com> wrote:
> >
> > On Mon, May 08, 2017 at 03:36:21PM -0400, Karl MacMillan wrote:
> >>
> >>>
> >>
On Mon, May 08, 2017 at 03:36:21PM -0400, Karl MacMillan wrote:
>
> > On May 8, 2017, at 5:32 AM, Dominick Grift <dac.overr...@gmail.com> wrote:
> >
> > On Mon, May 08, 2017 at 10:55:55AM +0200, Dominick Grift wrote:
> >> On Sun, May 07, 2017 at 03
On Mon, May 08, 2017 at 03:23:06PM -0400, Karl MacMillan wrote:
>
> > On May 7, 2017, at 5:39 AM, Dominick Grift <dac.overr...@gmail.com> wrote:
> >
> > On Sat, May 06, 2017 at 07:19:20PM +0200, Dominick Grift wrote:
> >> On Sat, May 06, 2017 at 06
On Mon, May 08, 2017 at 10:55:55AM +0200, Dominick Grift wrote:
> On Sun, May 07, 2017 at 03:42:50PM -0400, Joshua Brindle wrote:
> > Dominick Grift wrote:
> > > On Sun, May 07, 2017 at 11:22:00AM -0400, Joshua Brindle wrote:the
> > > > Dominick Grift wrote:
> &
On Sun, May 07, 2017 at 03:42:50PM -0400, Joshua Brindle wrote:
> Dominick Grift wrote:
> > On Sun, May 07, 2017 at 11:22:00AM -0400, Joshua Brindle wrote:the
> > > Dominick Grift wrote:
> > >
> > >
> > > > The idea is nice, unfortunately it
On Sun, May 07, 2017 at 03:42:50PM -0400, Joshua Brindle wrote:
> Dominick Grift wrote:
> > On Sun, May 07, 2017 at 11:22:00AM -0400, Joshua Brindle wrote:the
> > > Dominick Grift wrote:
> > >
> > >
> > > > The idea is nice, unfortunately it
1 - 100 of 254 matches
Mail list logo