Hi guys,
One of the init systems that Gentoo supports uses kernel-triggered scripts
for managing cgroups (I'm pretty sure others do a similar thing). If the
script is labeled as bin_t, the execution of the script runs as kernel_t.
I'd like to set up a proper domain transition for this, but I'm not sure
where to position it exactly. It is part of the init system, but it has
little to do with "init" by itself, so I'm inclined to put it in either a
separate module, or inside the portage module.
What do other distributions do with kernel-triggered scripts? Let them run
in the kernel_t domain? The domain runs as unconfined if you support
unconfined domains, so it is possible most distributions have less impact on
such things).
Wkr,
Sven Vermeulen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/08/2012 04:18 PM, Sven Vermeulen wrote:
> Hi guys,
>
> One of the init systems that Gentoo supports uses kernel-triggered scripts
> for managing cgroups (I'm pretty sure others do a similar thing). If the
> script is labeled as bin_t, the execution of the script runs as kernel_t.
>
> I'd like to set up a proper domain transition for this, but I'm not sure
> where to position it exactly. It is part of the init system, but it has
> little to do with "init" by itself, so I'm inclined to put it in either a
> separate module, or inside the portage module.
>
> What do other distributions do with kernel-triggered scripts? Let them run
> in the kernel_t domain? The domain runs as unconfined if you support
> unconfined domains, so it is possible most distributions have less impact
> on such things).
>
> Wkr, Sven Vermeulen _______________________________________________
> refpolicy mailing list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
Currently we do nothing in Fedora.
sesearch -T -s kernel_t -c process
Found 5 semantic te rules:
type_transition kernel_t anaconda_exec_t : process anaconda_t;
type_transition kernel_t init_exec_t : process init_t;
type_transition kernel_t insmod_exec_t : process insmod_t;
type_transition kernel_t abrt_helper_exec_t : process abrt_helper_t;
type_transition kernel_t udev_exec_t : process udev_t;
But adding confinement for these seems to make sense, since kernel_t will not
be unconfined in all circumstances. I don't believe fedora/RHEL has many
scripts executed from the kernel, although I could be mistaken.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDF+Z0ACgkQrlYvE4MpobOVHACgxMhomk1DTAvJoLzijrbEboBy
pT4AmgLHurBsw94E22hFbEAatFE4qtCz
=5Itm
-----END PGP SIGNATURE-----