From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 29 Dec 2016 22:55:13 +0100 Subject: [refpolicy] [PATCH v2] shutdown: minor update In-Reply-To: <52faa91e-e34f-fb79-1b21-02e3fe439e42@ieee.org> References: <2014691995.18775.1482877286620.JavaMail.open-xchange@popper10.register.it> <20161227234012.3401a42b@gentp.lnet> <1401336505.14562.1482881186452.JavaMail.open-xchange@popper05.register.it> <52faa91e-e34f-fb79-1b21-02e3fe439e42@ieee.org> Message-ID: <1483048513.12123.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch updates the shutdown module for better compatibility with sysvinit. Requires the kernel_mount_proc() interface from the following recently submitted init patch (v2): http://oss.tresys.com/pipermail/refpolicy/2016-December/008873.html Signed-off-by: Guido Trentalancia --- policy/modules/contrib/shutdown.te | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff -pru a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te --- a/policy/modules/contrib/shutdown.te 2016-12-22 23:12:59.398081952 +0100 +++ b/policy/modules/contrib/shutdown.te 2016-12-29 22:42:10.724110198 +0100 @@ -25,8 +25,10 @@ files_pid_file(shutdown_var_run_t) # allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config }; +dontaudit shutdown_t self:capability sys_admin; allow shutdown_t self:process { setsched signal signull }; allow shutdown_t self:fifo_file manage_fifo_file_perms; +allow shutdown_t self:unix_dgram_socket create_socket_perms; allow shutdown_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) @@ -35,13 +37,17 @@ files_etc_filetrans(shutdown_t, shutdown manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) +kernel_mount_proc(shutdown_t) +kernel_mounton_proc_dirs(shutdown_t) kernel_read_system_state(shutdown_t) domain_use_interactive_fds(shutdown_t) -files_delete_boot_flag(shutdown_t) +files_create_boot_flag(shutdown_t) files_read_generic_pids(shutdown_t) +fs_getattr_xattr_fs(shutdown_t) + mls_file_write_to_clearance(shutdown_t) term_use_all_terms(shutdown_t)