[DSE-Dev] Bug#697814: Bug#697814: selinux-policy-default: exim4 and bitlbee want access to sysctl_crypto_t

Marius Gavrilescu marius at ieval.ro
Thu Jan 10 09:23:05 UTC 2013


On Thu, Jan 10, 2013 at 02:59:41AM +0100, Mika Pflüger wrote:
> How should we proceed? Add kernel_read_crypto_sysctls for everyone who
> needs it (which could be quite some list considering that libgrypt11
> has about 200 reverse dependencies…) or follow the fedora way and allow
> it for everybody?

Allowing everyone to read it seems reasonable. There's no security problem
if a program finds out whether we are in fips mode or not.

> However, this only breaks fips mode for the affected programs so maybe
> the impact is so low that we don't fix it for wheezy and therefore
> only work for a solution upstream. How many people use system wide fips
> mode?

I don't use fips mode, but I think that fips users[0] would want this bug
fixed in wheezy. The change is minor, so getting an unblock wouldn't be
difficult. An actual fips user[0] should say their opinion on this bug.

[0]: if there are any
-- 
Marius Gavrilescu
(kids) There's no one in there. --6 year old son, in response to seeing his father hanging pictures and tapping on the walls to find the support beams.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20130110/1efc017d/attachment.pgp>


More information about the SELinux-devel mailing list