From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 28 Dec 2016 14:06:41 -0500
Subject: [refpolicy] [PATCH] shutdown: minor update
In-Reply-To: <1401336505.14562.1482881186452.JavaMail.open-xchange@popper05.register.it>
References: <2014691995.18775.1482877286620.JavaMail.open-xchange@popper10.register.it>
	<20161227234012.3401a42b@gentp.lnet>
	<1401336505.14562.1482881186452.JavaMail.open-xchange@popper05.register.it>
Message-ID: <52faa91e-e34f-fb79-1b21-02e3fe439e42@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/27/16 18:26, Guido Trentalancia via refpolicy wrote:
> Hello.
>
> When the system is shutting down, killall5 from sysvinit is called (of course,
> on
> those systems using sysvinit) to kill all processes. Killall5 then mounts and
> reads
> the /proc filesystem to get the list of processes.

If that's the case, then the patch is incomplete, as shutdown_t has no 
mounting permissions.


>> On the 27th December 2016 at 23.40 Luis Ressel <aranea@aixah.de> wrote:
>>
>>
>> On Tue, 27 Dec 2016 23:21:26 +0100 (CET)
>> Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
>>
>>> --- a/policy/modules/contrib/shutdown.te	2016-08-06
>>> 21:27:11.424095136 +0200 +++
>>> b/policy/modules/contrib/shutdown.te	2016-12-19
>>> @@ -35,6 +36,7 @@ files_etc_filetrans(shutdown_t, shutdown
>>>  manage_files_pattern(shutdown_t, shutdown_var_run_t,
>>> shutdown_var_run_t) files_pid_filetrans(shutdown_t,
>>> shutdown_var_run_t, file)
>>> +kernel_mounton_proc_dirs(shutdown_t)
>>>  kernel_read_system_state(shutdown_t)
>>
>> What's that for?
>>
>> Regards,
>> Luis Ressel


-- 
Chris PeBenito