[refpolicy] [RFC] Add security class and access vector permissions for systemd

[dwalsh@redhat.com (Daniel J Walsh)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/11/2013 09:12 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> This patch add the necessary security class and permissions for systemd.
> 
> Fedora seems to add more permissions than the one that are actually used in
> the source, I'm not too sure why, Daniel I guess you could help here?
> 

Here is the current Fedora_flask patch.

You seem to be missing some access checks from service.

The Enable/Disable/Reload are caused by systemd generating its own internal
runtime unit files. and probably asking the wrong question.  I think we need
to fix systemd to ask a question based on the service not the system for these
so they can be eliminated.

ptrace_child kernel patch has not been upstreamed, but the idea here is to
allow users to ptrace child processes rather then picking a random pid.

compromize_kernel in mac_admin2 is used to indicate that you are doing
something that could/would break secure_boot, (I believe).


+       getnetgrp
+       shmemnetgrp

Are new checks used by nscd.

+class proxy
+{
+       read
+}

Is a new service used for gssproxy.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKA9YMACgkQrlYvE4MpobMMaQCdGO2AzzanIAkIyBFMzdDIG+e0
rQ0AoJuM1ccR6FjmHT2yQG3ByIeUgiDS
=S7u5
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fedora_flask.patch
Type: text/x-patch
Size: 1361 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131111/d4ca4535/attachment.bin