From: sds@tycho.nsa.gov (Stephen Smalley)
Date: Mon, 05 Jan 2009 12:57:05 -0500
Subject: [refpolicy] [PATCH] Add kernel_service class and access vector
	definition
Message-ID: <1231178225.3102.23.camel@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The kernel_service class and permissions are now defined in the mainline
kernel, and thus need to be reserved in the policy (thankfully there is
no conflicting definition already there).  With this patch applied, a
make in policy/flask yields identical headers to the latest mainline
kernel headers.

Index: refpolicy/policy/flask/security_classes
===================================================================
--- refpolicy/policy/flask/security_classes	(revision 2895)
+++ refpolicy/policy/flask/security_classes	(working copy)
@@ -116,4 +116,7 @@
 class x_synthetic_event		# userspace
 class x_application_data	# userspace
 
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service 
+
 # FLASK
Index: refpolicy/policy/flask/access_vectors
===================================================================
--- refpolicy/policy/flask/access_vectors	(revision 2895)
+++ refpolicy/policy/flask/access_vectors	(working copy)
@@ -782,3 +782,9 @@
 	paste_after_confirm
 	copy
 }
+
+class kernel_service
+{
+	use_as_override
+	create_files_as	
+}

-- 
Stephen Smalley
National Security Agency