From: Laurent Bigonville <[email protected]>
This patch add the necessary security class and permissions for systemd.
Fedora seems to add more permissions than the one that are actually used in the
source, I'm not too sure why, Daniel I guess you could help here?
---
policy/flask/access_vectors | 15 +++++++++++++++
policy/flask/security_classes | 3 +++
2 files changed, 18 insertions(+)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a94b169..260ea4c 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -393,6 +393,13 @@ class system
syslog_mod
syslog_console
module_request
+ halt
+ reboot
+ status
+ start
+ enable
+ disable
+ reload
}
#
@@ -865,3 +872,11 @@ inherits database
implement
execute
}
+
+class service
+{
+ start
+ stop
+ status
+ reload
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 14a4799..2ee86d1 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -131,4 +131,7 @@ class db_view # userspace
class db_sequence # userspace
class db_language # userspace
+# systemd services
+class service #userspace
+
# FLASK
--
1.8.4.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/11/2013 09:12 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> This patch add the necessary security class and permissions for systemd.
>
> Fedora seems to add more permissions than the one that are actually used in
> the source, I'm not too sure why, Daniel I guess you could help here?
>
Here is the current Fedora_flask patch.
You seem to be missing some access checks from service.
The Enable/Disable/Reload are caused by systemd generating its own internal
runtime unit files. and probably asking the wrong question. I think we need
to fix systemd to ask a question based on the service not the system for these
so they can be eliminated.
ptrace_child kernel patch has not been upstreamed, but the idea here is to
allow users to ptrace child processes rather then picking a random pid.
compromize_kernel in mac_admin2 is used to indicate that you are doing
something that could/would break secure_boot, (I believe).
+ getnetgrp
+ shmemnetgrp
Are new checks used by nscd.
+class proxy
+{
+ read
+}
Is a new service used for gssproxy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKA9YMACgkQrlYvE4MpobMMaQCdGO2AzzanIAkIyBFMzdDIG+e0
rQ0AoJuM1ccR6FjmHT2yQG3ByIeUgiDS
=S7u5
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fedora_flask.patch
Type: text/x-patch
Size: 1361 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131111/d4ca4535/attachment.bin