From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 17 Dec 2012 10:42:47 +0100
Subject: [refpolicy] [PATCH 5/8] Dontaudit getsched on all domains
In-Reply-To: <1355737370-27628-1-git-send-email-sven.vermeulen@siphos.be>
References: <1355737370-27628-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1355737370-27628-6-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The htop utility will attempt to get the scheduling information of all
processes. This information however does not seem to be needed for its
information (no difference in output when allowed or not).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/domain.if     |   18 ++++++++++++++++++
 policy/modules/system/userdomain.if |    2 ++
 2 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..caceae0 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -889,6 +889,24 @@ interface(`domain_getpgid_all_domains',`
 
 ########################################
 ## <summary>
+##	Do not audit getting the scheduler information of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getsched_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process getsched;
+')
+
+########################################
+## <summary>
 ##	Get the scheduler information of all domains.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6d4424b..99ab865 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -523,6 +523,8 @@ template(`userdom_common_user_template',`
 	dev_read_sound_mixer($1_t)
 	dev_write_sound_mixer($1_t)
 
+	domain_dontaudit_getsched_all_domains($1_t)
+
 	files_exec_etc_files($1_t)
 	files_search_locks($1_t)
 	# Check to see if cdrom is mounted
-- 
1.7.8.6