From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 14 Apr 2010 14:41:46 -0400 Subject: [refpolicy] [ munin patch 1/1] Run munin with full mcs range if mcs is enabled. In-Reply-To: <20100413204243.GA15930@localhost.localdomain> References: <20100413204243.GA15930@localhost.localdomain> Message-ID: <1271270506.19154.3.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2010-04-13 at 22:42 +0200, Dominick Grift wrote: > Example: > avc: denied { ioctl } for pid=3774 comm="grep" path="/proc/1564/status" dev=proc ino=21569 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=file I'm not sure why you would get this. The constraint is: mlsconstrain file { read ioctl lock execute execute_no_trans } (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); and t2 is cupsd_t, which is a domain. > Signed-off-by: Dominick Grift > --- > :100644 100644 9991b78... c407dc1... M policy/modules/services/munin.te > policy/modules/services/munin.te | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te > index 9991b78..c407dc1 100644 > --- a/policy/modules/services/munin.te > +++ b/policy/modules/services/munin.te > @@ -28,6 +28,9 @@ files_type(munin_var_lib_t) > type munin_var_run_t alias lrrd_var_run_t; > files_pid_file(munin_var_run_t) > > +ifdef(`enable_mcs',` init_ranged_daemon_domain(munin_t, munin_exec_t, s0 - mcs_systemhigh) > +') > + > ######################################## > # > # Local policy > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150