From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 13 Oct 2008 11:10:07 -0400
Subject: [refpolicy] kerneloops policy modification
In-Reply-To: <48EFB7B7.1070107@redhat.com>
References: <48EFB7B7.1070107@redhat.com>
Message-ID: <1223910607.21012.13.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Fri, 2008-10-10 at 16:14 -0400, Daniel J Walsh wrote:
> Add initrscript labeling
>
> Kerneloops sends itself signals
>
> Needs to tread routing table.
Merged.
> plain text document attachment (services_kerneloops.patch)
> --- nsaserefpolicy/policy/modules/services/kerneloops.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -1 +1,3 @@
> +/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
> +
> /usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.if 2008-10-10 16:08:15.000000000 -0400
> @@ -71,13 +71,25 @@
> ## Domain allowed access.
> ##
> ##
> +##
> +##
> +## The role to be allowed to manage the kerneloops domain.
> +##
> +##
> ##
> #
> interface(`kerneloops_admin',`
> gen_require(`
> type kerneloops_t;
> + type kerneloops_initrc_exec_t;
> ')
>
> allow $1 kerneloops_t:process { ptrace signal_perms };
> ps_process_pattern($1, kerneloops_t)
> +
> + init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
> + domain_system_change_exemption($1)
> + role_transition $2 kerneloops_initrc_exec_t system_r;
> + allow $2 system_r;
> +
> ')
> --- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.te 2008-10-10 16:08:15.000000000 -0400
> @@ -10,13 +10,16 @@
> type kerneloops_exec_t;
> init_daemon_domain(kerneloops_t, kerneloops_exec_t)
>
> +type kerneloops_initrc_exec_t;
> +init_script_file(kerneloops_initrc_exec_t)
> +
> ########################################
> #
> # kerneloops local policy
> #
>
> allow kerneloops_t self:capability sys_nice;
> -allow kerneloops_t self:process { setsched getsched };
> +allow kerneloops_t self:process { setsched getsched signal };
> allow kerneloops_t self:fifo_file rw_file_perms;
>
> kernel_read_ring_buffer(kerneloops_t)
> @@ -24,6 +27,8 @@
> # Init script handling
> domain_use_interactive_fds(kerneloops_t)
>
> +allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
> +
> corenet_all_recvfrom_unlabeled(kerneloops_t)
> corenet_all_recvfrom_netlabel(kerneloops_t)
> corenet_tcp_sendrecv_all_if(kerneloops_t)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150