From: domg472@gmail.com (Dominick Grift) Date: Fri, 8 Oct 2010 15:08:57 +0200 Subject: [refpolicy] [ patch 1/1] [retry] su: wants to read inits script keyring. Message-ID: <20101008130853.GA6175@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift --- :100644 100644 a0aa8c5... d20bdfc... M policy/modules/admin/su.if :100644 100644 8419a01... cdd18b4... M policy/modules/system/init.if policy/modules/admin/su.if | 1 + policy/modules/system/init.if | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index a0aa8c5..d20bdfc 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -85,6 +85,7 @@ template(`su_restricted_domain_template', ` init_dontaudit_use_script_ptys($1_su_t) # Write to utmp. init_rw_utmp($1_su_t) + init_search_script_key($1_su_t) logging_send_syslog_msg($1_su_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 8419a01..cdd18b4 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1176,6 +1176,24 @@ interface(`init_dontaudit_use_script_fds',` ######################################## ## +## Search init script keys. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_search_script_key',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:key search; +') + +######################################## +## ## Get the process group ID of init scripts. ## ## -- 1.7.2.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/b4342025/attachment.bin