[refpolicy] kerneloops policy modification

[refpolicy] kerneloops policy modification

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Add initrscript labeling

Kerneloops sends itself signals

Needs to tread routing table.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjvt7cACgkQrlYvE4MpobMmgQCgz15nTPmv22uuTSkfo5Jarfoh
tzQAoLDOm/5pSBMfcRpq0Ly357PWnN4j
=nH8b
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_kerneloops.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/bdf2aa83/attachment.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_kerneloops.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/bdf2aa83/attachment.obj 

[refpolicy] kerneloops policy modification

[Christopher J. PeBenito]

On Fri, 2008-10-10 at 16:14 -0400, Daniel J Walsh wrote:
> Add initrscript labeling
> 
> Kerneloops sends itself signals
> 
> Needs to tread routing table.

Merged.

> plain text document attachment (services_kerneloops.patch)
> --- nsaserefpolicy/policy/modules/services/kerneloops.fc	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.fc	2008-10-10 16:08:15.000000000 -0400
> @@ -1 +1,3 @@
> +/etc/rc\.d/init\.d/kerneloops	--	gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
> +
>  /usr/sbin/kerneloops	--	gen_context(system_u:object_r:kerneloops_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/kerneloops.if	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.if	2008-10-10 16:08:15.000000000 -0400
> @@ -71,13 +71,25 @@
>  ##	Domain allowed access.
>  ##	</summary>
>  ## </param>
> +## <param name="role">
> +##	<summary>
> +##	The role to be allowed to manage the kerneloops domain.
> +##	</summary>
> +## </param>
>  ## <rolecap/>
>  #
>  interface(`kerneloops_admin',`
>  	gen_require(`
>  		type kerneloops_t;
> +		type kerneloops_initrc_exec_t;
>  	')
>  
>  	allow $1 kerneloops_t:process { ptrace signal_perms };
>  	ps_process_pattern($1, kerneloops_t)
> +	        
> +	init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
> +	domain_system_change_exemption($1)
> +	role_transition $2 kerneloops_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
>  ')
> --- nsaserefpolicy/policy/modules/services/kerneloops.te	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/kerneloops.te	2008-10-10 16:08:15.000000000 -0400
> @@ -10,13 +10,16 @@
>  type kerneloops_exec_t;
>  init_daemon_domain(kerneloops_t, kerneloops_exec_t)
>  
> +type kerneloops_initrc_exec_t;
> +init_script_file(kerneloops_initrc_exec_t)
> +
>  ########################################
>  #
>  # kerneloops local policy
>  #
>  
>  allow kerneloops_t self:capability sys_nice;
> -allow kerneloops_t self:process { setsched getsched };
> +allow kerneloops_t self:process { setsched getsched signal };
>  allow kerneloops_t self:fifo_file rw_file_perms;
>  
>  kernel_read_ring_buffer(kerneloops_t)
> @@ -24,6 +27,8 @@
>  # Init script handling
>  domain_use_interactive_fds(kerneloops_t)
>  
> +allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
> +
>  corenet_all_recvfrom_unlabeled(kerneloops_t)
>  corenet_all_recvfrom_netlabel(kerneloops_t)
>  corenet_tcp_sendrecv_all_if(kerneloops_t)
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150