From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2 2/6] Allow init scripts to handle sysctls
Date: Tue, 10 Jul 2012 08:27:42 -0400 [thread overview]
Message-ID: <4FFC1FBE.3070506@tresys.com> (raw)
In-Reply-To: <20120703174930.GA31482@siphos.be>
On 07/03/12 13:49, Sven Vermeulen wrote:
> On Tue, Jul 03, 2012 at 09:59:52AM -0400, Christopher J. PeBenito wrote:
>>> Its the init script calling the sysctl binary. We currently don't hold a
>>> separate domain for sysctl, but that's certainly doable. I guess it would
>>> start with allowing both initrc_t and sysadm_t to transition to sysctl_t.
>>>
>>> But for some reason I think this has been thought of before - sysctl's are
>>> well known throughout the policy (with specific labels for kernel sysctl's
>>> and such). Was a new domain for sysctl's not done because there was little
>>> need for, or am I missing something?
>>
>> My guess is that its a new capability check, or its a capability check for a sysctl that isn't often set.
>
> Yes, there are apparently a few cases in sysctls where this is hit. In my
> particular case, it is on grSecurity sysctl's. There's something in the
> kernel about "tainted" sysctls as well which also require the CAP_SYS_ADMIN
> capability before writing to them.
>
> That said, I removed that particular part from the patchset as I've still
> got a few questions on this case. I was first going to create a sysctl_t
> domain... but that one already exists, although it isn't a domain (yet) but
> rather the label given to sysctl's in /proc/sys.
>
> I don't think it is wise to make sysctl_t a domain as well, do you? If not,
> is it still a good idea to move sysctl in its own domain and would I then
> need to rename sysctl_t (the current one) to something else, or look for a
> other name for the domain?
It would be better to find another name for the domain, otherwise we'd have compatibility problems. e.g. someone has a custom policy module installed that has a domain that sets sysctls.
> Another way to handle this is to make a sysctl_initrc_t domain (like
> Dominick suggested) but that'll be more different for Gentoo to take as we
> currently don't use such named init scripts yet (but I have to start
> supporting that anyhow sometime, so this is as good a time as any I guess).
I don't have a strong feeling either way.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2012-07-10 12:27 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-28 19:17 [refpolicy] [PATCH v2 0/6] Updates on init scripts and udev (mainly /run related) Sven Vermeulen
2012-06-28 19:17 ` [refpolicy] [PATCH v2 1/6] Support log location for init script logging Sven Vermeulen
2012-07-02 14:47 ` Christopher J. PeBenito
2012-06-28 19:17 ` [refpolicy] [PATCH v2 2/6] Allow init scripts to handle sysctls Sven Vermeulen
2012-07-02 14:47 ` Christopher J. PeBenito
2012-07-02 20:19 ` Sven Vermeulen
2012-07-02 20:25 ` Dominick Grift
2012-07-03 13:59 ` Christopher J. PeBenito
2012-07-03 17:49 ` Sven Vermeulen
2012-07-10 12:27 ` Christopher J. PeBenito [this message]
2012-06-28 19:17 ` [refpolicy] [PATCH v2 3/6] Supporting interfaces for the /run changes Sven Vermeulen
2012-06-28 19:17 ` [refpolicy] [PATCH v2 4/6] Allow init scripts to populate /run location Sven Vermeulen
2012-06-28 19:17 ` [refpolicy] [PATCH v2 5/6] Prepare udev interfaces for /run usage Sven Vermeulen
2012-06-28 19:17 ` [refpolicy] [PATCH v2 6/6] Allow init scripts to create and manage (udev) /run location Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FFC1FBE.3070506@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.