From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 11 Nov 2013 10:19:31 -0500 Subject: [refpolicy] [RFC] Add security class and access vector permissions for systemd In-Reply-To: <1384179151-1528-1-git-send-email-bigon@debian.org> References: <1384179151-1528-1-git-send-email-bigon@debian.org> Message-ID: <5280F583.5020307@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/11/2013 09:12 AM, Laurent Bigonville wrote: > From: Laurent Bigonville > > This patch add the necessary security class and permissions for systemd. > > Fedora seems to add more permissions than the one that are actually used in > the source, I'm not too sure why, Daniel I guess you could help here? > Here is the current Fedora_flask patch. You seem to be missing some access checks from service. The Enable/Disable/Reload are caused by systemd generating its own internal runtime unit files. and probably asking the wrong question. I think we need to fix systemd to ask a question based on the service not the system for these so they can be eliminated. ptrace_child kernel patch has not been upstreamed, but the idea here is to allow users to ptrace child processes rather then picking a random pid. compromize_kernel in mac_admin2 is used to indicate that you are doing something that could/would break secure_boot, (I believe). + getnetgrp + shmemnetgrp Are new checks used by nscd. +class proxy +{ + read +} Is a new service used for gssproxy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKA9YMACgkQrlYvE4MpobMMaQCdGO2AzzanIAkIyBFMzdDIG+e0 rQ0AoJuM1ccR6FjmHT2yQG3ByIeUgiDS =S7u5 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: fedora_flask.patch Type: text/x-patch Size: 1361 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131111/d4ca4535/attachment.bin