From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 03 Dec 2008 18:09:03 -0500
Subject: [refpolicy] services_snmp.patch
In-Reply-To: <1228318344.9691.547.camel@gorn>
References: <492C6CBB.5050806@redhat.com> <1228318344.9691.547.camel@gorn>
Message-ID: <4937118F.30205@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>>
>> Add initrc labeling support
>>
>> /var/agentx needs a label
>>
>> Clean up admin interface
>>
>> snmp needs getsched, setsched
>>
>> needs ipc_lock and sys_ptrace
> 
> These two caps came up earlier this week; it makes me wonder if there is
> any similarity (does it fit into a pattern?).  The other one had kill
> (was already on snmpd_t), sys_ptrace, and ipc_lock too.  Snmpd doesn't
> have process ptrace or process sigkill perms, which is why this seems
> questionable.
> 
>> Reads file systems and rw xen state
>>
>> Dontaudit ptrace domains
>>
>> Checks all executables
>>
>> Does walks of the file systems
>>
>> Execs consoletype,
>>
>> Communicates with virtual machines and xen machines
> 
> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
> 
> Merged with some other tweaks.
> 
But the xen stuff is optional while the kernel* calls are not.  So if
you used a policy without xen policy you still want to use the xen device.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk3EY8ACgkQrlYvE4MpobO+nQCg1ozrEtSEdzZF7IQFPf0tIQBU
7UMAoJjaTXO/FEb7E00jOHWNf0P/NyhV
=QpHl
-----END PGP SIGNATURE-----