From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 25 Jan 2011 19:20:03 +0100 Subject: [refpolicy] [PATCH/RFC 9/19]: patch set to update the git reference policy In-Reply-To: <4D3D9C0F.2060403@gmail.com> References: <1295829854.3862.68.camel@tesla.lan> <4D3D864F.3040402@gmail.com> <1295883127.1547.1.camel@tesla.lan> <4D3D9C0F.2060403@gmail.com> Message-ID: <1295979603.3051.7.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello again Dominick ! On Mon, 24/01/2011 at 16.34 +0100, Dominick Grift wrote: > On 01/24/2011 04:32 PM, Guido Trentalancia wrote: > > On Mon, 24/01/2011 at 15.01 +0100, Dominick Grift wrote: > >> On 01/24/2011 01:44 AM, Guido Trentalancia wrote: > >>> diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te > >>> --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te 2011-01-23 23:13:48.170284646 +0100 > >>> +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te 2011-01-23 23:31:31.456301488 +0100 > >>> @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t) > >>> dev_read_urand(devicekit_t) > >>> > >>> files_read_etc_files(devicekit_t) > >>> +files_read_etc_runtime_files(devicekit_t) > >>> > >>> miscfiles_read_localization(devicekit_t) > >>> > >>> @@ -188,7 +189,7 @@ optional_policy(` > >>> # > >>> > >>> allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; > >>> -allow devicekit_power_t self:process getsched; > >>> +allow devicekit_power_t self:process { getsched signal }; > >>> allow devicekit_power_t self:fifo_file rw_fifo_file_perms; > >>> allow devicekit_power_t self:unix_dgram_socket create_socket_perms; > >>> allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; > >>> @@ -197,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d > >>> manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) > >>> files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) > >>> > >>> +kernel_search_fs_sysctl(devicekit_power_t) > >>> +kernel_rw_vm_sysctls(devicekit_power_t) > >>> kernel_read_network_state(devicekit_power_t) > >>> kernel_read_system_state(devicekit_power_t) > >>> kernel_rw_hotplug_sysctls(devicekit_power_t) > >>> kernel_rw_kernel_sysctl(devicekit_power_t) > >>> kernel_search_debugfs(devicekit_power_t) > >>> kernel_write_proc_files(devicekit_power_t) > >>> +kernel_setsched(devicekit_power_t) > >>> > >>> corecmd_exec_bin(devicekit_power_t) > >>> corecmd_exec_shell(devicekit_power_t) > >>> @@ -219,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t) > >>> > >>> files_read_kernel_img(devicekit_power_t) > >>> files_read_etc_files(devicekit_power_t) > >>> +files_rw_etc_runtime_files(devicekit_power_t) > >>> files_read_usr_files(devicekit_power_t) > >>> > >>> fs_list_inotifyfs(devicekit_power_t) > >>> +fs_remount_xattr_fs(devicekit_power_t) > >>> > >>> term_use_all_terms(devicekit_power_t) > >>> > >>> @@ -234,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power > >>> > >>> userdom_read_all_users_state(devicekit_power_t) > >>> > >>> +devicekit_getattr_apm_bios_files_power(devicekit_power_t) > >>> + > >>> +mount_exec_getattr(devicekit_power_t) > >> > >> This interface name doesnt make sense to me > > > > So, what name do you propose instead ? > > > something like mount_getattr_executable_file() or something. Although > besides the naming issue, i am not sure whether there is a real need for > the interface at all. The name has been changed according to the one that you proposed. Yes, it's needed, unless the explcit permissions are written down as allowed rules in the TE file, which is not very readable. Regards, Guido