From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 22 Feb 2011 11:04:44 -0500
Subject: [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t
 fifo	files
In-Reply-To: <4D63DBED.5030100@tresys.com>
References: <1297836035.3205.30.camel@tesla.lan> <4D63DBED.5030100@tresys.com>
Message-ID: <4D63DE9C.8000703@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2011 10:53 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:00, Guido Trentalancia wrote:
>> This patch adds a new interface init_read_fifo_file() and
>> uses it so that readahead can read init_t fifo files.
> 
> This doesn't make sense to me.  Its not run out of init; it shouldn't be
> inheriting unnamed pipes from init.  It also makes me question the
> existing init_use_fds(readahead_t) rule in the policy.
> 
It is run by systemd now in F15
 ls /lib/systemd/systemd-readahead-*
/lib/systemd/systemd-readahead-collect
/lib/systemd/systemd-readahead-replay


>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/admin/readahead.te refpolicy-git-02022011-new/policy/modules/admin/readahead.te
>> --- refpolicy-git-02022011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>> +++ refpolicy-git-02022011-new/policy/modules/admin/readahead.te	2011-01-26 01:40:07.208360132 +0100
>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>  
>>  auth_dontaudit_read_shadow(readahead_t)
>>  
>> +init_read_fifo_file(readahead_t)
>>  init_use_fds(readahead_t)
>>  init_use_script_ptys(readahead_t)
>>  init_getattr_initctl(readahead_t)
>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/system/init.if refpolicy-git-02022011-new/policy/modules/system/init.if
>> --- refpolicy-git-02022011/policy/modules/system/init.if	2011-02-06 23:07:41.774207748 +0100
>> +++ refpolicy-git-02022011-new/policy/modules/system/init.if	2011-01-26 01:40:07.026309900 +0100
>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>  
>>  ########################################
>>  ## <summary>
>> +##      Read init fifo file.
>> +## </summary>
>> +## <param name="domain">
>> +##      <summary>
>> +##      Domain allowed access.
>> +##      </summary>
>> +## </param>
>> +#
>> +interface(`init_read_fifo_file',`
>> +		gen_require(`
>> +		type init_t;
>> +	')
>> +
>> +	allow $1 init_t:fifo_file read_fifo_file_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>>  ##	Ptrace init
>>  ## </summary>
>>  ## <param name="domain">
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1j3pwACgkQrlYvE4MpobN3mACeJ/jPVTbHtHEjMNXeyXrQVnMx
AZkAoIZxaKGGQuw5g+z7tIJkU2a8JfQw
=OmRJ
-----END PGP SIGNATURE-----