From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 08 Oct 2010 08:45:30 -0400
Subject: [refpolicy] [ patch 32/44] su: wants to read inits keyring.
In-Reply-To: <1286216636-28449-34-git-send-email-domg472@gmail.com>
References: <1286216636-28449-1-git-send-email-domg472@gmail.com>
<1286216636-28449-34-git-send-email-domg472@gmail.com>
Message-ID: <4CAF126A.5010001@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 10/04/10 14:23, Dominick Grift wrote:
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 8419a01..b80886e 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1176,6 +1176,24 @@ interface(`init_dontaudit_use_script_fds',`
>
> ########################################
> ##
> +## Search init script keys.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`init_search_key_script',`
What you said in the IRC channel is right, init_search_script_key() is a
better interface name.
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:key search;
> +')
> +
> +########################################
> +##
> ## Get the process group ID of init scripts.
> ##
> ##
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com