From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 13 Oct 2008 11:10:07 -0400
Subject: [refpolicy] kerneloops policy modification
In-Reply-To: <48EFB7B7.1070107@redhat.com>
References: <48EFB7B7.1070107@redhat.com>
Message-ID: <1223910607.21012.13.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2008-10-10 at 16:14 -0400, Daniel J Walsh wrote:
> Add initrscript labeling
> 
> Kerneloops sends itself signals
> 
> Needs to tread routing table.

Merged.

> plain text document attachment (services_kerneloops.patch)
> --- nsaserefpolicy/policy/modules/services/kerneloops.fc	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.fc	2008-10-10 16:08:15.000000000 -0400
> @@ -1 +1,3 @@
> +/etc/rc\.d/init\.d/kerneloops	--	gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
> +
>  /usr/sbin/kerneloops	--	gen_context(system_u:object_r:kerneloops_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/kerneloops.if	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.if	2008-10-10 16:08:15.000000000 -0400
> @@ -71,13 +71,25 @@
>  ##	Domain allowed access.
>  ##	</summary>
>  ## </param>
> +## <param name="role">
> +##	<summary>
> +##	The role to be allowed to manage the kerneloops domain.
> +##	</summary>
> +## </param>
>  ## <rolecap/>
>  #
>  interface(`kerneloops_admin',`
>  	gen_require(`
>  		type kerneloops_t;
> +		type kerneloops_initrc_exec_t;
>  	')
>  
>  	allow $1 kerneloops_t:process { ptrace signal_perms };
>  	ps_process_pattern($1, kerneloops_t)
> +	        
> +	init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
> +	domain_system_change_exemption($1)
> +	role_transition $2 kerneloops_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
>  ')
> --- nsaserefpolicy/policy/modules/services/kerneloops.te	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.te	2008-10-10 16:08:15.000000000 -0400
> @@ -10,13 +10,16 @@
>  type kerneloops_exec_t;
>  init_daemon_domain(kerneloops_t, kerneloops_exec_t)
>  
> +type kerneloops_initrc_exec_t;
> +init_script_file(kerneloops_initrc_exec_t)
> +
>  ########################################
>  #
>  # kerneloops local policy
>  #
>  
>  allow kerneloops_t self:capability sys_nice;
> -allow kerneloops_t self:process { setsched getsched };
> +allow kerneloops_t self:process { setsched getsched signal };
>  allow kerneloops_t self:fifo_file rw_file_perms;
>  
>  kernel_read_ring_buffer(kerneloops_t)
> @@ -24,6 +27,8 @@
>  # Init script handling
>  domain_use_interactive_fds(kerneloops_t)
>  
> +allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
> +
>  corenet_all_recvfrom_unlabeled(kerneloops_t)
>  corenet_all_recvfrom_netlabel(kerneloops_t)
>  corenet_tcp_sendrecv_all_if(kerneloops_t)
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150