The kernel_service class and permissions are now defined in the mainline
kernel, and thus need to be reserved in the policy (thankfully there is
no conflicting definition already there). With this patch applied, a
make in policy/flask yields identical headers to the latest mainline
kernel headers.
Index: refpolicy/policy/flask/security_classes
===================================================================
--- refpolicy/policy/flask/security_classes (revision 2895)
+++ refpolicy/policy/flask/security_classes (working copy)
@@ -116,4 +116,7 @@
class x_synthetic_event # userspace
class x_application_data # userspace
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
# FLASK
Index: refpolicy/policy/flask/access_vectors
===================================================================
--- refpolicy/policy/flask/access_vectors (revision 2895)
+++ refpolicy/policy/flask/access_vectors (working copy)
@@ -782,3 +782,9 @@
paste_after_confirm
copy
}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
--
Stephen Smalley
National Security Agency
On Mon, Jan 5, 2009 at 12:57 PM, Stephen Smalley <[email protected]> wrote:
> The kernel_service class and permissions are now defined in the mainline
> kernel, and thus need to be reserved in the policy (thankfully there is
> no conflicting definition already there). With this patch applied, a
> make in policy/flask yields identical headers to the latest mainline
> kernel headers.
certainly an ACK from me.
-Eric
On Mon, 2009-01-05 at 12:57 -0500, Stephen Smalley wrote:
> The kernel_service class and permissions are now defined in the mainline
> kernel, and thus need to be reserved in the policy (thankfully there is
> no conflicting definition already there). With this patch applied, a
> make in policy/flask yields identical headers to the latest mainline
> kernel headers.
Merged.
> Index: refpolicy/policy/flask/security_classes
> ===================================================================
> --- refpolicy/policy/flask/security_classes (revision 2895)
> +++ refpolicy/policy/flask/security_classes (working copy)
> @@ -116,4 +116,7 @@
> class x_synthetic_event # userspace
> class x_application_data # userspace
>
> +# kernel services that need to override task security, e.g. cachefiles
> +class kernel_service
> +
> # FLASK
> Index: refpolicy/policy/flask/access_vectors
> ===================================================================
> --- refpolicy/policy/flask/access_vectors (revision 2895)
> +++ refpolicy/policy/flask/access_vectors (working copy)
> @@ -782,3 +782,9 @@
> paste_after_confirm
> copy
> }
> +
> +class kernel_service
> +{
> + use_as_override
> + create_files_as
> +}
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150