[refpolicy] (u|r)bacsep: initial testing
Christopher J. PeBenito
cpebenito at tresys.com
Fri Nov 14 07:29:21 CST 2008
On Thu, 2008-11-13 at 14:30 -0500, Eamon Walsh wrote:
> Christopher J. PeBenito wrote:
> >
> > ping
> >
> > This is the last call. I have not heard any comments from the
> > community. User-based separations have finished going through vetting
> > interally at Tresys; I plan to finalize this and then merge it into
> > trunk in the next week or so unless there are any objections raised.
> >
> > This really needs to be tested by people whose projects depend on proper
> > role separations.
>
> I had to apply this patch to policy/constraints to get around a build error:
>
> Index: constraints
> ===================================================================
> --- constraints (revision 2873)
> +++ constraints (working copy)
> @@ -81,8 +81,11 @@
>
> constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
> (
> - basic_ubac_conditions
> - or t1 == ubacproc
> + ifdef(`enable_ubac',`
> + basic_ubac_conditions
> + or
> + ')
> + t1 == ubacproc
> );
>
> constrain process { transition noatsecure siginh rlimitinh }
I put the whole constraint in the enable_ubac. If UBAC is disabled, we
don't want the t1 == ubacproc to still be a constraint.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy
mailing list