[refpolicy] services_snmp.patch
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 4 13:30:10 CST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Thu, 2008-12-04 at 14:21 -0500, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Wed, 2008-12-03 at 18:09 -0500, Daniel J Walsh wrote:
>>>> Christopher J. PeBenito wrote:
>>>>> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
>>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>>>>>>
>>>>>> Communicates with virtual machines and xen machines
>>>>> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
>>>>>
>>>>> Merged with some other tweaks.
>>>>>
>>>> But the xen stuff is optional while the kernel* calls are not. So if
>>>> you used a policy without xen policy you still want to use the xen device.
>>> That doesn't make any sense to me. Why would it still be using the xen
>>> proc interfaces if there is no xen?
>>>
>> If I have xen devices defined but use some policy other the xen, say
>> initrc_t, or myxen or expanded virt whatever. The devices are defined
>> in device.te and other xen calls are defined in xen.if, they are not the
>> same.
>
> But we're not talking about devices, we're talking about proc entries.
> I wouldn't expect those proc entries to exist except on a xen system, in
> which case you also need the xen policy.
>
You would need policy but not necessarily the interfaces that are
defined in xen.if.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk4L8IACgkQrlYvE4MpobP3dgCguKA5tqeXcJobVIZ3XySQ5GyU
19cAoLVgDsklyeXzOLnJY3tNJpbNApWy
=w2PZ
-----END PGP SIGNATURE-----
More information about the refpolicy
mailing list