* [refpolicy] [RFC] Add security class and access vector permissions for systemd
@ 2013-11-11 14:12 Laurent Bigonville
2013-11-11 15:19 ` Daniel J Walsh
0 siblings, 1 reply; 2+ messages in thread
From: Laurent Bigonville @ 2013-11-11 14:12 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
This patch add the necessary security class and permissions for systemd.
Fedora seems to add more permissions than the one that are actually used in the
source, I'm not too sure why, Daniel I guess you could help here?
---
policy/flask/access_vectors | 15 +++++++++++++++
policy/flask/security_classes | 3 +++
2 files changed, 18 insertions(+)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a94b169..260ea4c 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -393,6 +393,13 @@ class system
syslog_mod
syslog_console
module_request
+ halt
+ reboot
+ status
+ start
+ enable
+ disable
+ reload
}
#
@@ -865,3 +872,11 @@ inherits database
implement
execute
}
+
+class service
+{
+ start
+ stop
+ status
+ reload
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 14a4799..2ee86d1 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -131,4 +131,7 @@ class db_view # userspace
class db_sequence # userspace
class db_language # userspace
+# systemd services
+class service #userspace
+
# FLASK
--
1.8.4.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [RFC] Add security class and access vector permissions for systemd
2013-11-11 14:12 [refpolicy] [RFC] Add security class and access vector permissions for systemd Laurent Bigonville
@ 2013-11-11 15:19 ` Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2013-11-11 15:19 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/11/2013 09:12 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> This patch add the necessary security class and permissions for systemd.
>
> Fedora seems to add more permissions than the one that are actually used in
> the source, I'm not too sure why, Daniel I guess you could help here?
>
Here is the current Fedora_flask patch.
You seem to be missing some access checks from service.
The Enable/Disable/Reload are caused by systemd generating its own internal
runtime unit files. and probably asking the wrong question. I think we need
to fix systemd to ask a question based on the service not the system for these
so they can be eliminated.
ptrace_child kernel patch has not been upstreamed, but the idea here is to
allow users to ptrace child processes rather then picking a random pid.
compromize_kernel in mac_admin2 is used to indicate that you are doing
something that could/would break secure_boot, (I believe).
+ getnetgrp
+ shmemnetgrp
Are new checks used by nscd.
+class proxy
+{
+ read
+}
Is a new service used for gssproxy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKA9YMACgkQrlYvE4MpobMMaQCdGO2AzzanIAkIyBFMzdDIG+e0
rQ0AoJuM1ccR6FjmHT2yQG3ByIeUgiDS
=S7u5
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fedora_flask.patch
Type: text/x-patch
Size: 1361 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131111/d4ca4535/attachment.bin
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-11-11 15:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-11 14:12 [refpolicy] [RFC] Add security class and access vector permissions for systemd Laurent Bigonville
2013-11-11 15:19 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.