-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_smartmon.patch
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
smarmon reads netlink route information
Needs to resolve dns names
Some one said it needs mls_file_write_all_levels
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjanHYACgkQrlYvE4MpobO9RQCgmvGqfFeFqipX8fDSR+Fmjm+P
SDoAoLYHhVZEkjJxMNE3tHtvcHKZtJ7f
=Wwi6
-----END PGP SIGNATURE-----
On Wed, 2008-09-24 at 16:00 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_smartmon.patch
>
> Add initrc script support
>
> allow admin to start/stop service
>
> Admin needs admin_pattern on all file types
>
> smarmon reads netlink route information
>
> Needs to resolve dns names
>
> Some one said it needs mls_file_write_all_levels
Merged except for the MLS bit. Shouldn't it instead be running at
system high? Its purpose is to monitor the disks which are all system
high.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Wed, 2008-09-24 at 16:00 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_smartmon.patch
>>
>> Add initrc script support
>>
>> allow admin to start/stop service
>>
>> Admin needs admin_pattern on all file types
>>
>> smarmon reads netlink route information
>>
>> Needs to resolve dns names
>>
>> Some one said it needs mls_file_write_all_levels
>
> Merged except for the MLS bit. Shouldn't it instead be running at
> system high? Its purpose is to monitor the disks which are all system
> high.
>
Updated smartmon patch to run at system_high, also latest fsdaemon
creates devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjtViQACgkQrlYvE4MpobNrEwCgzm58ptokqlQ4Dgg8ENYoqbmA
FpEAoJNmQLI/l/qMBqa2UZfB6x9tANoy
=PR9l
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_smartmon.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081008/84211391/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_smartmon.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081008/84211391/attachment.obj
On Wed, 2008-10-08 at 20:53 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2008-09-24 at 16:00 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_smartmon.patch
> >>
> >> Add initrc script support
> >>
> >> allow admin to start/stop service
> >>
> >> Admin needs admin_pattern on all file types
> >>
> >> smarmon reads netlink route information
> >>
> >> Needs to resolve dns names
> >>
> >> Some one said it needs mls_file_write_all_levels
> >
> > Merged except for the MLS bit. Shouldn't it instead be running at
> > system high? Its purpose is to monitor the disks which are all system
> > high.
> >
> Updated smartmon patch to run at system_high, also latest fsdaemon
> creates devices.
I don't see a range transition. Also, if its running at system high,
does it still need the mls_file_write_all_levels()?
> plain text document attachment (services_smartmon.patch)
> --- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-08 19:00:27.000000000 -0400
> +++ serefpolicy-3.5.11/policy/modules/services/smartmon.te 2008-10-08 20:36:17.000000000 -0400
> @@ -26,7 +26,7 @@
>
> allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
> dontaudit fsdaemon_t self:capability sys_tty_config;
> -allow fsdaemon_t self:process signal_perms;
> +allow fsdaemon_t self:process { signal_perms setfscreate };
> allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
> allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
> allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
> @@ -66,6 +66,7 @@
> fs_search_auto_mountpoints(fsdaemon_t)
>
> mls_file_read_all_levels(fsdaemon_t)
> +mls_file_write_all_levels(fsdaemon_t)
>
> storage_raw_read_fixed_disk(fsdaemon_t)
> storage_raw_write_fixed_disk(fsdaemon_t)
> @@ -99,3 +100,10 @@
> optional_policy(`
> udev_read_db(fsdaemon_t)
> ')
> +
> +dev_del_entry_generic_dirs(fsdaemon_t)
> +storage_dev_filetrans_fixed_disk(fsdaemon_t)
> +storage_manage_fixed_disk(fsdaemon_t)
> +seutil_read_file_contexts(fsdaemon_t)
> +selinux_validate_context(fsdaemon_t)
> +
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The patch has been updated. to transition to system_high
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkj0tRoACgkQrlYvE4MpobMPAQCgzTB/Fr5XSy/hHglaR8RikibI
okgAoIsZHJXD4KgZ5B7I9KB0k44qMwBi
=zg3f
-----END PGP SIGNATURE-----