From: sds@tycho.nsa.gov (Stephen Smalley) Date: Wed, 16 Feb 2011 12:43:21 -0500 Subject: [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy. In-Reply-To: <20110214204329.GA9388@localhost.localdomain> References: <20110214204329.GA9388@localhost.localdomain> Message-ID: <1297878201.27031.44.camel@moss-pluto> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2011-02-14 at 21:43 +0100, Dominick Grift wrote: > I guess read_policy is a permissive required together with read_file_perms for /selinux/policy. What audit_access actually does i do not know. Also i re-ordered execmod and open because currently it was not complete. > > Signed-off-by: Dominick Grift > --- > :100644 100644 0ef9b12... 1966443... M policy/flask/access_vectors > policy/flask/access_vectors | 18 ++++-------------- > 1 files changed, 4 insertions(+), 14 deletions(-) > > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors > index 0ef9b12..1966443 100644 > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -27,6 +27,9 @@ common file > swapon > quotaon > mounton > + audit_access > + open > + execmod > } You can't insert permissions into the common definition without perturbing the permission values for subsequent permissions in the per-class definitions. That isn't a problem for recent kernels with dynamic class/permission mapping support, but it will break compatibility for older kernels. What you can do instead is to add new permissions, like audit_access, to the end of each per-file class, and then kernels with the dynamic class/perm mapping support will transparently map the values. > > > @@ -152,7 +155,6 @@ inherits file > reparent > search > rmdir > - open > } Likewise you can't move or remove permissions from kernel classes without breaking old kernels. > > class file > @@ -160,8 +162,6 @@ inherits file > { > execute_no_trans > entrypoint > - execmod > - open > } > > class lnk_file > @@ -172,27 +172,16 @@ inherits file > { > execute_no_trans > entrypoint > - execmod > - open > } > > class blk_file > inherits file > -{ > - open > -} > > class sock_file > inherits file > -{ > - open > -} > > class fifo_file > inherits file > -{ > - open > -} > > class fd > { > @@ -363,6 +352,7 @@ class security > setbool > setsecparam > setcheckreqprot > + read_policy > } > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Stephen Smalley National Security Agency