On Thu, Apr 16, 2020 at 12:33 PM Sreyan Chakravarty <sreya...@gmail.com> wrote:
> > On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty <sreyan32(a)gmail.com > > > > wrote: > > > > Hi, > > > > There has already been reported a bugzilla: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1797543 > > > > A new domain is needed to confine systemd-sleep. As a temporary > workaround, > > you can create a file with the following content: > > > > (allow init_t swapfile_t (file (getattr open read ioctl lock))) > > > > insert as a custom policy module: > > > > semodule -i local_init_swapfile.cil > > > > and then remove it once the policy is updated. > > Can you please tell me what is the difference between your method and > running: > ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep > semodule -X 300 -i my-systemdsleep.pp > > This seems to be more permissive compared to your workaround. Would I be > correct ? > It should be roughly the same; you may have hit only one or two of the permissions requested and get to additional ones later, so in this sense you are right as I added a common permissions set in advance. The biggest difference I see though is that with enumerating the permissions you have full control over what is to be put into the custom policy module, while running audit2allow directly with the -M switch is kind of a blackbox where you can't see it. It can be done in 2 steps, use -m, check the type-enforcement file, possibly add or delete some of the permissions, and then insert the module. It does not matter if te or cil language and file format is used. _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > -- Zdenek Pytela Security controls team, sst_platform_security
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
