-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Add initrscript labeling
Kerneloops sends itself signals
Needs to tread routing table.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvt7cACgkQrlYvE4MpobMmgQCgz15nTPmv22uuTSkfo5Jarfoh
tzQAoLDOm/5pSBMfcRpq0Ly357PWnN4j
=nH8b
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_kerneloops.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/bdf2aa83/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_kerneloops.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/bdf2aa83/attachment.obj
On Fri, 2008-10-10 at 16:14 -0400, Daniel J Walsh wrote:
> Add initrscript labeling
>
> Kerneloops sends itself signals
>
> Needs to tread routing table.
Merged.
> plain text document attachment (services_kerneloops.patch)
> --- nsaserefpolicy/policy/modules/services/kerneloops.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -1 +1,3 @@
> +/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
> +
> /usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.if 2008-10-10 16:08:15.000000000 -0400
> @@ -71,13 +71,25 @@
> ## Domain allowed access.
> ## </summary>
> ## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be allowed to manage the kerneloops domain.
> +## </summary>
> +## </param>
> ## <rolecap/>
> #
> interface(`kerneloops_admin',`
> gen_require(`
> type kerneloops_t;
> + type kerneloops_initrc_exec_t;
> ')
>
> allow $1 kerneloops_t:process { ptrace signal_perms };
> ps_process_pattern($1, kerneloops_t)
> +
> + init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
> + domain_system_change_exemption($1)
> + role_transition $2 kerneloops_initrc_exec_t system_r;
> + allow $2 system_r;
> +
> ')
> --- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.te 2008-10-10 16:08:15.000000000 -0400
> @@ -10,13 +10,16 @@
> type kerneloops_exec_t;
> init_daemon_domain(kerneloops_t, kerneloops_exec_t)
>
> +type kerneloops_initrc_exec_t;
> +init_script_file(kerneloops_initrc_exec_t)
> +
> ########################################
> #
> # kerneloops local policy
> #
>
> allow kerneloops_t self:capability sys_nice;
> -allow kerneloops_t self:process { setsched getsched };
> +allow kerneloops_t self:process { setsched getsched signal };
> allow kerneloops_t self:fifo_file rw_file_perms;
>
> kernel_read_ring_buffer(kerneloops_t)
> @@ -24,6 +27,8 @@
> # Init script handling
> domain_use_interactive_fds(kerneloops_t)
>
> +allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
> +
> corenet_all_recvfrom_unlabeled(kerneloops_t)
> corenet_all_recvfrom_netlabel(kerneloops_t)
> corenet_tcp_sendrecv_all_if(kerneloops_t)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150