I guess read_policy is a permissive required together with read_file_perms for /selinux/policy. What audit_access actually does i do not know. Also i re-ordered execmod and open because currently it was not complete.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 0ef9b12... 1966443... M policy/flask/access_vectors
policy/flask/access_vectors | 18 ++++--------------
1 files changed, 4 insertions(+), 14 deletions(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 0ef9b12..1966443 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -27,6 +27,9 @@ common file
swapon
quotaon
mounton
+ audit_access
+ open
+ execmod
}
@@ -152,7 +155,6 @@ inherits file
reparent
search
rmdir
- open
}
class file
@@ -160,8 +162,6 @@ inherits file
{
execute_no_trans
entrypoint
- execmod
- open
}
class lnk_file
@@ -172,27 +172,16 @@ inherits file
{
execute_no_trans
entrypoint
- execmod
- open
}
class blk_file
inherits file
-{
- open
-}
class sock_file
inherits file
-{
- open
-}
class fifo_file
inherits file
-{
- open
-}
class fd
{
@@ -363,6 +352,7 @@ class security
setbool
setsecparam
setcheckreqprot
+ read_policy
}
--
1.7.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110214/4436a879/attachment.bin
On Mon, 2011-02-14 at 21:43 +0100, Dominick Grift wrote:
> I guess read_policy is a permissive required together with read_file_perms for /selinux/policy. What audit_access actually does i do not know. Also i re-ordered execmod and open because currently it was not complete.
>
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 0ef9b12... 1966443... M policy/flask/access_vectors
> policy/flask/access_vectors | 18 ++++--------------
> 1 files changed, 4 insertions(+), 14 deletions(-)
>
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 0ef9b12..1966443 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -27,6 +27,9 @@ common file
> swapon
> quotaon
> mounton
> + audit_access
> + open
> + execmod
> }
You can't insert permissions into the common definition without
perturbing the permission values for subsequent permissions in the
per-class definitions. That isn't a problem for recent kernels with
dynamic class/permission mapping support, but it will break
compatibility for older kernels. What you can do instead is to add new
permissions, like audit_access, to the end of each per-file class, and
then kernels with the dynamic class/perm mapping support will
transparently map the values.
>
>
> @@ -152,7 +155,6 @@ inherits file
> reparent
> search
> rmdir
> - open
> }
Likewise you can't move or remove permissions from kernel classes
without breaking old kernels.
>
> class file
> @@ -160,8 +162,6 @@ inherits file
> {
> execute_no_trans
> entrypoint
> - execmod
> - open
> }
>
> class lnk_file
> @@ -172,27 +172,16 @@ inherits file
> {
> execute_no_trans
> entrypoint
> - execmod
> - open
> }
>
> class blk_file
> inherits file
> -{
> - open
> -}
>
> class sock_file
> inherits file
> -{
> - open
> -}
>
> class fifo_file
> inherits file
> -{
> - open
> -}
>
> class fd
> {
> @@ -363,6 +352,7 @@ class security
> setbool
> setsecparam
> setcheckreqprot
> + read_policy
> }
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Stephen Smalley
National Security Agency
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/16/2011 06:43 PM, Stephen Smalley wrote:
>
> You can't insert permissions into the common definition without
> perturbing the permission values for subsequent permissions in the
> per-class definitions. That isn't a problem for recent kernels with
> dynamic class/permission mapping support, but it will break
> compatibility for older kernels. What you can do instead is to add new
> permissions, like audit_access, to the end of each per-file class, and
> then kernels with the dynamic class/perm mapping support will
> transparently map the values.
>
Thanks for the clarification, was wondering already about why it was
added the way it was. Issue with execmod, open permission in refpolicy
is that its not added to all classes that support it currently.
I guess i will submit a retry.
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1cDjoACgkQMlxVo39jgT/AtwCcCmU8Fq7rVHCpYzwvYItUs/Il
w6wAn1orGBMblcXOHCGXLsnUBESU9x8t
=pJYW
-----END PGP SIGNATURE-----
On Wed, Feb 16, 2011 at 12:49 PM, Dominick Grift <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/16/2011 06:43 PM, Stephen Smalley wrote:
>
>>
>> You can't insert permissions into the common definition without
>> perturbing the permission values for subsequent permissions in the
>> per-class definitions. ?That isn't a problem for recent kernels with
>> dynamic class/permission mapping support, but it will break
>> compatibility for older kernels. ?What you can do instead is to add new
>> permissions, like audit_access, to the end of each per-file class, and
>> then kernels with the dynamic class/perm mapping support will
>> transparently map the values.
>>
>
> Thanks for the clarification, was wondering already about why it was
> added the way it was. Issue with execmod, open permission in refpolicy
> is that its not added to all classes that support it currently.
>
> I guess i will submit a retry.
I know dan has a patch in rawhide that does it right....