From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 10 Dec 2012 10:02:54 -0500 Subject: [refpolicy] Kernel-triggered scripts In-Reply-To: <20121208211807.GA7476@siphos.be> References: <20121208211807.GA7476@siphos.be> Message-ID: <50C5F99E.7030004@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/08/2012 04:18 PM, Sven Vermeulen wrote: > Hi guys, > > One of the init systems that Gentoo supports uses kernel-triggered scripts > for managing cgroups (I'm pretty sure others do a similar thing). If the > script is labeled as bin_t, the execution of the script runs as kernel_t. > > I'd like to set up a proper domain transition for this, but I'm not sure > where to position it exactly. It is part of the init system, but it has > little to do with "init" by itself, so I'm inclined to put it in either a > separate module, or inside the portage module. > > What do other distributions do with kernel-triggered scripts? Let them run > in the kernel_t domain? The domain runs as unconfined if you support > unconfined domains, so it is possible most distributions have less impact > on such things). > > Wkr, Sven Vermeulen _______________________________________________ > refpolicy mailing list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > Currently we do nothing in Fedora. sesearch -T -s kernel_t -c process Found 5 semantic te rules: type_transition kernel_t anaconda_exec_t : process anaconda_t; type_transition kernel_t init_exec_t : process init_t; type_transition kernel_t insmod_exec_t : process insmod_t; type_transition kernel_t abrt_helper_exec_t : process abrt_helper_t; type_transition kernel_t udev_exec_t : process udev_t; But adding confinement for these seems to make sense, since kernel_t will not be unconfined in all circumstances. I don't believe fedora/RHEL has many scripts executed from the kernel, although I could be mistaken. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDF+Z0ACgkQrlYvE4MpobOVHACgxMhomk1DTAvJoLzijrbEboBy pT4AmgLHurBsw94E22hFbEAatFE4qtCz =5Itm -----END PGP SIGNATURE-----