From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 03 Jul 2012 09:59:52 -0400 Subject: [refpolicy] [PATCH v2 2/6] Allow init scripts to handle sysctls In-Reply-To: <20120702201951.GA19551@siphos.be> References: <1340911046-30441-1-git-send-email-sven.vermeulen@siphos.be> <1340911046-30441-3-git-send-email-sven.vermeulen@siphos.be> <4FF1B48F.4060909@tresys.com> <20120702201951.GA19551@siphos.be> Message-ID: <4FF2FAD8.8010202@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 7/2/2012 4:19 PM, Sven Vermeulen wrote: > On Mon, Jul 02, 2012 at 10:47:43AM -0400, Christopher J. PeBenito wrote: >>> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; >>> -allow initrc_t self:capability ~{ sys_admin sys_module }; >>> +allow initrc_t self:capability ~{ sys_module }; >>> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this >>> allow initrc_t self:passwd rootok; >>> allow initrc_t self:key manage_key_perms; >> >> We typically try to separate out the sys_admin privileges since its so broad. Can a new domain be created? > > Its the init script calling the sysctl binary. We currently don't hold a > separate domain for sysctl, but that's certainly doable. I guess it would > start with allowing both initrc_t and sysadm_t to transition to sysctl_t. > > But for some reason I think this has been thought of before - sysctl's are > well known throughout the policy (with specific labels for kernel sysctl's > and such). Was a new domain for sysctl's not done because there was little > need for, or am I missing something? My guess is that its a new capability check, or its a capability check for a sysctl that isn't often set. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com