From: domg472@gmail.com (Dominick Grift) Date: Mon, 4 Oct 2010 20:23:44 +0200 Subject: [refpolicy] [ patch 32/44] su: wants to read inits keyring. In-Reply-To: <1286216636-28449-1-git-send-email-domg472@gmail.com> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> Message-ID: <1286216636-28449-34-git-send-email-domg472@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift --- :100644 100644 9337ed7... dd9c7bf... M policy/modules/admin/su.if :100644 100644 8419a01... b80886e... M policy/modules/system/init.if policy/modules/admin/su.if | 1 + policy/modules/system/init.if | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 9337ed7..dd9c7bf 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -228,6 +228,7 @@ template(`su_role_template',` init_dontaudit_use_fds($1_su_t) # Write to utmp. init_rw_utmp($1_su_t) + init_search_key_script($1_su_t) mls_file_write_all_levels($1_su_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 8419a01..b80886e 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1176,6 +1176,24 @@ interface(`init_dontaudit_use_script_fds',` ######################################## ## +## Search init script keys. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_search_key_script',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:key search; +') + +######################################## +## ## Get the process group ID of init scripts. ## ## -- 1.7.2.3