Report 21 to 28 Dec. 2019

  • Added an FC spec for some emacs elpa helper scripts. Debian apt post installation scriptlet prompted this. Not sure if eventually i want to label that this way but for now this will keep apt happy.
  • Removed some macro access to capabilities for “common_user”. These macros are also called for prefixed domains and not only for “subj.common_subj” access. Therefore I shouldnt imply access to caps here.
  • I reverted a commit that actually opened up a LOT of bad access. These “subj.common_subj.all_macro_templates” reference “subj_type_attribute” from the calling namespace. If that type attribute does not exist there then it will use the name space of the macro. In this care it allows all callers for “” access to various process perms for “subj.common_subj.subj_type_attribute”
  • One one of my systems fstrim does a “write” access check on mounpoints suchs as /boot and others (I guess the filesystems mounted on there don’t support “discared” even though the are storage) Anyhow, that is speculation and i dontaudited audit_access there.
  • Googler wants to execute uname.
  • Some changes to screen. Initially i gave “screen home” a private type for “.screenrc”, and screen read access. I opened this up for also make it apply to “screenlog” and “hardcopy”. So I ended giving “manage” access to screen for “screen home” files.. People might want screen to “write” to .screenrc so this is a little bit more tolerant/liberal.
  • Added a basic policy to “radeontop”. This is probably one of the simplest policy modules in dssp2 standard.

… And that wraps it up for this week.

Leave a Reply

Your email address will not be published. Required fields are marked *