From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 17 Oct 2012 16:15:01 +0200 Subject: [refpolicy] [PATCH] Changes to the kernel policy module In-Reply-To: References: <1350476958-5883-1-git-send-email-dominick.grift@gmail.com> Message-ID: <1350483301.16371.26.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-10-17 at 14:46 +0200, Sven Vermeulen wrote: > For which socket is this? Why isn't the stream_connect_pattern needed > here? This is probably initramfs i believe. There is no audit of a write to any sock file related to this Not sure exactly why but i suspect it has do do with the fact that this happens so early in the boot process. > On Oct 17, 2012 2:29 PM, "Dominick Grift" > wrote: > > Interface is needed by at least plymouth > > Signed-off-by: Dominick Grift > diff --git a/policy/modules/kernel/kernel.if > b/policy/modules/kernel/kernel.if > index 4bf45cb..7cbf5d6 100644 > --- a/policy/modules/kernel/kernel.if > +++ b/policy/modules/kernel/kernel.if > @@ -565,6 +565,25 @@ > > ######################################## > ##

> +## Connect to kernel using a unix > +## domain stream socket. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +# > +interface(`kernel_stream_connect',` > + gen_require(` > + type kernel_t; > + ') > + > + allow $1 kernel_t:unix_stream_socket connectto; > +') > + > +######################################## > +##

> ## Get information on all System V IPC objects. > ##

> ## > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy