From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 03 Dec 2008 10:32:19 -0500
Subject: [refpolicy] services_snmp.patch
In-Reply-To: <492C6CBB.5050806@redhat.com>
References: <492C6CBB.5050806@redhat.com>
Message-ID: <1228318344.9691.547.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
> 
> Add initrc labeling support
> 
> /var/agentx needs a label
> 
> Clean up admin interface
> 
> snmp needs getsched, setsched
> 
> needs ipc_lock and sys_ptrace

These two caps came up earlier this week; it makes me wonder if there is
any similarity (does it fit into a pattern?).  The other one had kill
(was already on snmpd_t), sys_ptrace, and ipc_lock too.  Snmpd doesn't
have process ptrace or process sigkill perms, which is why this seems
questionable.

> Reads file systems and rw xen state
> 
> Dontaudit ptrace domains
> 
> Checks all executables
> 
> Does walks of the file systems
> 
> Execs consoletype,
> 
> Communicates with virtual machines and xen machines

I put the kernel_*_xen_state() calls in with the other xen_*() calls.

Merged with some other tweaks.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150