From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 11 Oct 2010 09:37:14 -0400 Subject: [refpolicy] [ patch 1/1] [retry] su: wants to read inits script keyring. In-Reply-To: <20101008130853.GA6175@localhost.localdomain> References: <20101008130853.GA6175@localhost.localdomain> Message-ID: <4CB3130A.4040204@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/08/10 09:08, Dominick Grift wrote: > > Signed-off-by: Dominick Grift Merged. > :100644 100644 a0aa8c5... d20bdfc... M policy/modules/admin/su.if > :100644 100644 8419a01... cdd18b4... M policy/modules/system/init.if > policy/modules/admin/su.if | 1 + > policy/modules/system/init.if | 18 ++++++++++++++++++ > 2 files changed, 19 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if > index a0aa8c5..d20bdfc 100644 > --- a/policy/modules/admin/su.if > +++ b/policy/modules/admin/su.if > @@ -85,6 +85,7 @@ template(`su_restricted_domain_template', ` > init_dontaudit_use_script_ptys($1_su_t) > # Write to utmp. > init_rw_utmp($1_su_t) > + init_search_script_key($1_su_t) > > logging_send_syslog_msg($1_su_t) > > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index 8419a01..cdd18b4 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -1176,6 +1176,24 @@ interface(`init_dontaudit_use_script_fds',` > > ######################################## > ## > +## Search init script keys. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_search_script_key',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:key search; > +') > + > +######################################## > +## > ## Get the process group ID of init scripts. > ## > ## > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com