From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 05 Jan 2009 17:00:00 -0500
Subject: [refpolicy] [PATCH] Add kernel_service class and access vector
	definition
In-Reply-To: <1231178225.3102.23.camel@localhost.localdomain>
References: <1231178225.3102.23.camel@localhost.localdomain>
Message-ID: <1231192800.19364.0.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2009-01-05 at 12:57 -0500, Stephen Smalley wrote:
> The kernel_service class and permissions are now defined in the mainline
> kernel, and thus need to be reserved in the policy (thankfully there is
> no conflicting definition already there).  With this patch applied, a
> make in policy/flask yields identical headers to the latest mainline
> kernel headers.

Merged.

> Index: refpolicy/policy/flask/security_classes
> ===================================================================
> --- refpolicy/policy/flask/security_classes	(revision 2895)
> +++ refpolicy/policy/flask/security_classes	(working copy)
> @@ -116,4 +116,7 @@
>  class x_synthetic_event		# userspace
>  class x_application_data	# userspace
>  
> +# kernel services that need to override task security, e.g. cachefiles
> +class kernel_service 
> +
>  # FLASK
> Index: refpolicy/policy/flask/access_vectors
> ===================================================================
> --- refpolicy/policy/flask/access_vectors	(revision 2895)
> +++ refpolicy/policy/flask/access_vectors	(working copy)
> @@ -782,3 +782,9 @@
>  	paste_after_confirm
>  	copy
>  }
> +
> +class kernel_service
> +{
> +	use_as_override
> +	create_files_as	
> +}
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150