[refpolicy] services_snmp.patch

Daniel J Walsh dwalsh at redhat.com
Wed Dec 3 17:09:03 CST 2008

Hash: SHA1

Christopher J. PeBenito wrote:
> On Tue, 2008-11-25 at 16:23 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snmp.patch
>> Add initrc labeling support
>> /var/agentx needs a label
>> Clean up admin interface
>> snmp needs getsched, setsched
>> needs ipc_lock and sys_ptrace
> These two caps came up earlier this week; it makes me wonder if there is
> any similarity (does it fit into a pattern?).  The other one had kill
> (was already on snmpd_t), sys_ptrace, and ipc_lock too.  Snmpd doesn't
> have process ptrace or process sigkill perms, which is why this seems
> questionable.
>> Reads file systems and rw xen state
>> Dontaudit ptrace domains
>> Checks all executables
>> Does walks of the file systems
>> Execs consoletype,
>> Communicates with virtual machines and xen machines
> I put the kernel_*_xen_state() calls in with the other xen_*() calls.
> Merged with some other tweaks.
But the xen stuff is optional while the kernel* calls are not.  So if
you used a policy without xen policy you still want to use the xen device.
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


More information about the refpolicy mailing list