From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 10 Oct 2008 13:20:04 -0400
Subject: [refpolicy] services_smartmon.patch
In-Reply-To: <48ED5624.5050403@redhat.com>
References: <48DA9C76.8070400@redhat.com>
	<1223496431.2165.123.camel@gorn.columbia.tresys.com>
	<48ED5624.5050403@redhat.com>
Message-ID: <1223659204.2165.160.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2008-10-08 at 20:53 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2008-09-24 at 16:00 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_smartmon.patch
> >>
> >> Add initrc script support
> >>
> >> allow admin to start/stop service
> >>
> >> Admin needs admin_pattern on all file types
> >>
> >> smarmon reads netlink route information
> >>
> >> Needs to resolve dns names
> >>
> >> Some one said it needs mls_file_write_all_levels
> > 
> > Merged except for the MLS bit.  Shouldn't it instead be running at
> > system high?  Its purpose is to monitor the disks which are all system
> > high.
> > 
> Updated smartmon patch to run at system_high, also latest fsdaemon
> creates devices.

I don't see a range transition.  Also, if its running at system high,
does it still need the mls_file_write_all_levels()?

> plain text document attachment (services_smartmon.patch)
> --- nsaserefpolicy/policy/modules/services/smartmon.te	2008-10-08 19:00:27.000000000 -0400
> +++ serefpolicy-3.5.11/policy/modules/services/smartmon.te	2008-10-08 20:36:17.000000000 -0400
> @@ -26,7 +26,7 @@
>  
>  allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
>  dontaudit fsdaemon_t self:capability sys_tty_config;
> -allow fsdaemon_t self:process signal_perms;
> +allow fsdaemon_t self:process { signal_perms setfscreate };
>  allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
>  allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
>  allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
> @@ -66,6 +66,7 @@
>  fs_search_auto_mountpoints(fsdaemon_t)
>  
>  mls_file_read_all_levels(fsdaemon_t)
> +mls_file_write_all_levels(fsdaemon_t)
>  
>  storage_raw_read_fixed_disk(fsdaemon_t)
>  storage_raw_write_fixed_disk(fsdaemon_t)
> @@ -99,3 +100,10 @@
>  optional_policy(`
>  	udev_read_db(fsdaemon_t)
>  ')
> +
> +dev_del_entry_generic_dirs(fsdaemon_t)
> +storage_dev_filetrans_fixed_disk(fsdaemon_t)
> +storage_manage_fixed_disk(fsdaemon_t)
> +seutil_read_file_contexts(fsdaemon_t)
> +selinux_validate_context(fsdaemon_t)
> +
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150