From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 17 Dec 2012 11:26:04 +0100 Subject: [refpolicy] [PATCH 5/8] Dontaudit getsched on all domains In-Reply-To: <1355739655.2269.7.camel@localhost> References: <1355737370-27628-1-git-send-email-sven.vermeulen@siphos.be> <1355737370-27628-6-git-send-email-sven.vermeulen@siphos.be> <1355739655.2269.7.camel@localhost> Message-ID: <20121217102603.GA1030@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Dec 17, 2012 at 11:20:55AM +0100, grift wrote: > > The htop utility will attempt to get the scheduling information of all > > processes. This information however does not seem to be needed for its > > information (no difference in output when allowed or not). [...] > > +interface(`domain_dontaudit_getsched_all_domains',` > > + gen_require(` > > + attribute domain; > > + ') > > + > > + dontaudit $1 domain:process getsched; > > +') [...] > > --- a/policy/modules/system/userdomain.if > > +++ b/policy/modules/system/userdomain.if > > @@ -523,6 +523,8 @@ template(`userdom_common_user_template',` > > dev_read_sound_mixer($1_t) > > dev_write_sound_mixer($1_t) > > > > + domain_dontaudit_getsched_all_domains($1_t) > > That is too coarse in my view. > > This will also dontaudit legitimate access for processes needing this > running in the user domain. > > Lets say i have this app that depends on this permission for itself: > > allow staff_t self:process { signal getsched }; > > Then this rule will silently hide that access I understand that, but the other method would be to create *_dontaudit_getsched for each and every possible module, and add it in the user domain definition fully loaded with optional_policy() statements. And if the user domain doesn't need getsched itself, then running htop will generate denials anyhow for self (i.e. in your above example, you'll get denials for staff_t getsched on itself) so eventually you'll add in a staff_dontaudit_getsched() for that too? Another alternative could be to run htop in its own domain, but that doesn't make sense imo... Wkr, Sven Vermeulen