Re: SE Linux policy update

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: debian-release@lists.debian.org
Subject: Re: SE Linux policy update
From: Russell Coker <russell@coker.com.au>
Date: Sat, 19 Mar 2011 20:03:43 +1100
Message-id: <[🔎] 201103192003.44063.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 1300524001.15823.2606.camel@hathi.jungle.funky-badger.org>
References: <[🔎] 201103112321.54091.russell@coker.com.au> <[🔎] 201103191458.29020.russell@coker.com.au> <[🔎] 1300524001.15823.2606.camel@hathi.jungle.funky-badger.org>

On Sat, 19 Mar 2011, "Adam D. Barratt" <adam@adam-barratt.org.uk> wrote:
> > They have all been tested on multiple systems.  Also many of the changes
> > are related to things that didn't work at all previously so there was
> > little scope for regression.
> 
> Okay.

Apart from the one I just backed out.  :-#
 
> > > >    * Add tunable user_manage_dos_files which defaults to true
> > > 
> > > What's the current behaviour?  All users can manage such files, or none
> > > can?
> > 
> > None.
> 
> Hmmm, so this is introducing a behaviour change.

A behavior change that makes it work in the expected manner by default while 
also allowing tuning it for maximum restriction seems like a reasonable thing 
to include.  I don't think that many users desire their USB flash storage 
devices to be entirely inaccessible to user applications.

> > > >    * Dontaudit bind_t write attempts to / for lwresd calling
> > > >    access(".", W_OK)
> > > 
> > > "Don't audit"
> > 
> > Stops filling the logs when the daemon is just asking whether the
> > directory is writable.
> 
> I guessed what the change was for, but was commenting on the fact that
> the changelog entry said "Dontaudit", which looked like it should have
> been "don't audit"; apologies if that wasn't clear enough.

"dontaudit" is a SE Linux policy key word.  Capitalising it at the start of 
the sentence might be considered dubious, but seems like the clearest way of 
expressing it.

> > Now what's the procedure for uploading it?  Do I just replace "unstable"
> > with "stable" in the changelog, use the version number you requested,
> > and then upload it?
> 
> It looks like you've done that in the meantime.
> 
> p-u-NEW's been frozen for the past week in preparation for the point
> release later today, and DSA are planning to upgrade the machine to
> Squeeze later in the day, so we'll start working through the queue again
> over the next few days.

So I've missed this point release?  What's the deadline for the next one?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to:

Follow-Ups:
- Re: SE Linux policy update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- SE Linux policy update
  - From: Russell Coker <russell@coker.com.au>
- Re: SE Linux policy update
  - From: Russell Coker <russell@coker.com.au>
- Re: SE Linux policy update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: SE Linux policy update
Next by Date: Re: SE Linux policy update
Previous by thread: Re: SE Linux policy update
Next by thread: Re: SE Linux policy update
Index(es):
- Date
- Thread