[refpolicy] Kernel-triggered scripts

[dwalsh@redhat.com (Daniel J Walsh)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/08/2012 04:18 PM, Sven Vermeulen wrote:
> Hi guys,
> 
> One of the init systems that Gentoo supports uses kernel-triggered scripts 
> for managing cgroups (I'm pretty sure others do a similar thing). If the 
> script is labeled as bin_t, the execution of the script runs as kernel_t.
> 
> I'd like to set up a proper domain transition for this, but I'm not sure 
> where to position it exactly. It is part of the init system, but it has 
> little to do with "init" by itself, so I'm inclined to put it in either a 
> separate module, or inside the portage module.
> 
> What do other distributions do with kernel-triggered scripts? Let them run 
> in the kernel_t domain? The domain runs as unconfined if you support 
> unconfined domains, so it is possible most distributions have less impact
> on such things).
> 
> Wkr, Sven Vermeulen _______________________________________________ 
> refpolicy mailing list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 

Currently we do nothing in Fedora.

sesearch -T -s kernel_t -c process
Found 5 semantic te rules:
   type_transition kernel_t anaconda_exec_t : process anaconda_t;
   type_transition kernel_t init_exec_t : process init_t;
   type_transition kernel_t insmod_exec_t : process insmod_t;
   type_transition kernel_t abrt_helper_exec_t : process abrt_helper_t;
   type_transition kernel_t udev_exec_t : process udev_t;

But adding confinement for these seems to make sense, since kernel_t will not
be unconfined in all circumstances.  I don't believe fedora/RHEL has many
scripts executed from the kernel, although I could be mistaken.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDF+Z0ACgkQrlYvE4MpobOVHACgxMhomk1DTAvJoLzijrbEboBy
pT4AmgLHurBsw94E22hFbEAatFE4qtCz
=5Itm
-----END PGP SIGNATURE-----