[refpolicy] services_snmp.patch
Christopher J. PeBenito
cpebenito at tresys.com
Wed Dec 3 09:32:19 CST 2008
On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>
> Add initrc labeling support
>
> /var/agentx needs a label
>
> Clean up admin interface
>
> snmp needs getsched, setsched
>
> needs ipc_lock and sys_ptrace
These two caps came up earlier this week; it makes me wonder if there is
any similarity (does it fit into a pattern?). The other one had kill
(was already on snmpd_t), sys_ptrace, and ipc_lock too. Snmpd doesn't
have process ptrace or process sigkill perms, which is why this seems
questionable.
> Reads file systems and rw xen state
>
> Dontaudit ptrace domains
>
> Checks all executables
>
> Does walks of the file systems
>
> Execs consoletype,
>
> Communicates with virtual machines and xen machines
I put the kernel_*_xen_state() calls in with the other xen_*() calls.
Merged with some other tweaks.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy
mailing list