From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Thu, 29 May 2014 00:24:25 +0200
Subject: [refpolicy] [PATCH] Allow kern_unconfined domains to use syslog
 capability
In-Reply-To: <53848DF8.40601@tresys.com>
References: <1400862138-4079-1-git-send-email-nicolas.iooss@m4x.org>
	<53848DF8.40601@tresys.com>
Message-ID: <53866219.1040402@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

2014-05-27 15:07 GMT+02:00 Christopher J. PeBenito:
> On 05/23/2014 12:22 PM, Nicolas Iooss wrote:
>  
> Unconfined_t's capabilities are currently managed in unconfined.if.  That's where this should be fixed.
> 
This is actually not so true.  Here is the current situation about
unconfined_t capabilities:

* unconfined.te contains:

    allow unconfined_t self:capability2 block_suspend;
    unconfined_domain(unconfined_t)

* unconfined_domain interface is defined in unconfined.if and contains:

    allow $1 self:capability ~sys_module;

I don't understand why the "capability" policy of unconfined_t is
managed in unconfined.if and its "capability2" one in unconfined.te.
I would expect both to be either in unconfined.if or in unconfined.te,
but at the same time I don't know what can break if the current
situation is modified.

Back to my patch, where should I put the syslog capability2 permission?
In unconfined.te with block_suspend or in unconfined.if?

--
Nicolas