From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 2 Jul 2012 10:47:43 -0400 Subject: [refpolicy] [PATCH v2 2/6] Allow init scripts to handle sysctls In-Reply-To: <1340911046-30441-3-git-send-email-sven.vermeulen@siphos.be> References: <1340911046-30441-1-git-send-email-sven.vermeulen@siphos.be> <1340911046-30441-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: <4FF1B48F.4060909@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/28/12 15:17, Sven Vermeulen wrote: > The init script(s) that set/reset the sysctl's require the sys_admin capability > (as you cannot change sysctls without it). > > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/init.te | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 9fdd704..7dfd9a9 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -222,7 +222,7 @@ optional_policy(` > # > > allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; > -allow initrc_t self:capability ~{ sys_admin sys_module }; > +allow initrc_t self:capability ~{ sys_module }; > dontaudit initrc_t self:capability sys_module; # sysctl is triggering this > allow initrc_t self:passwd rootok; > allow initrc_t self:key manage_key_perms; We typically try to separate out the sys_admin privileges since its so broad. Can a new domain be created? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com