* [refpolicy] [PATCH/RFC 9/19]: patch set to update the git reference policy
@ 2011-01-24 0:44 Guido Trentalancia
2011-01-24 14:01 ` Dominick Grift
0 siblings, 1 reply; 6+ messages in thread
From: Guido Trentalancia @ 2011-01-24 0:44 UTC (permalink / raw)
To: refpolicy
diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if
--- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if 2011-01-23 23:13:48.169284451 +0100
+++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if 2011-01-23 23:30:29.918756977 +0100
@@ -240,3 +240,22 @@ interface(`devicekit_admin',`
admin_pattern($1, devicekit_var_run_t)
files_search_pids($1)
')
+
+########################################
+## <summary>
+## DeviceKit power getattr on APM
+## bios character device node files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_getattr_apm_bios_files_power',`
+ gen_require(`
+ type apm_bios_t;
+ ')
+
+ getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
+')
diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te
--- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te 2011-01-23 23:13:48.170284646 +0100
+++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te 2011-01-23 23:31:31.456301488 +0100
@@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
files_read_etc_files(devicekit_t)
+files_read_etc_runtime_files(devicekit_t)
miscfiles_read_localization(devicekit_t)
@@ -188,7 +189,7 @@ optional_policy(`
#
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
+allow devicekit_power_t self:process { getsched signal };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -197,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+kernel_search_fs_sysctl(devicekit_power_t)
+kernel_rw_vm_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
+kernel_setsched(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
@@ -219,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
+files_rw_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
+fs_remount_xattr_fs(devicekit_power_t)
term_use_all_terms(devicekit_power_t)
@@ -234,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
userdom_read_all_users_state(devicekit_power_t)
+devicekit_getattr_apm_bios_files_power(devicekit_power_t)
+
+mount_exec_getattr(devicekit_power_t)
+mount_exec(devicekit_power_t)
+
optional_policy(`
bootloader_domtrans(devicekit_power_t)
')
@@ -280,6 +291,10 @@ optional_policy(`
')
optional_policy(`
+ storage_raw_read_fixed_disk(devicekit_power_t)
+')
+
+optional_policy(`
udev_read_db(devicekit_power_t)
')
^ permalink raw reply [flat|nested] 6+ messages in thread* [refpolicy] [PATCH/RFC 9/19]: patch set to update the git reference policy
2011-01-24 0:44 [refpolicy] [PATCH/RFC 9/19]: patch set to update the git reference policy Guido Trentalancia
@ 2011-01-24 14:01 ` Dominick Grift
2011-01-24 15:32 ` Guido Trentalancia
0 siblings, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2011-01-24 14:01 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if
> --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if 2011-01-23 23:13:48.169284451 +0100
> +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if 2011-01-23 23:30:29.918756977 +0100
> @@ -240,3 +240,22 @@ interface(`devicekit_admin',`
> admin_pattern($1, devicekit_var_run_t)
> files_search_pids($1)
> ')
> +
> +########################################
> +## <summary>
> +## DeviceKit power getattr on APM
> +## bios character device node files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_getattr_apm_bios_files_power',`
> + gen_require(`
> + type apm_bios_t;
> + ')
> +
> + getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
> +')
This interface name is wrong. It should be prefixed by the module name
that defined it (which is not devicekit)
You should also allow access to the location of the apm_bios_t
chr_files. This interface may provide access to get attribute of
apm_bios_t chr_files, but it does not do any good if the caller cannot
traverse its parent(s)
> diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te
> --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te 2011-01-23 23:13:48.170284646 +0100
> +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te 2011-01-23 23:31:31.456301488 +0100
> @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
> dev_read_urand(devicekit_t)
>
> files_read_etc_files(devicekit_t)
> +files_read_etc_runtime_files(devicekit_t)
>
> miscfiles_read_localization(devicekit_t)
>
> @@ -188,7 +189,7 @@ optional_policy(`
> #
>
> allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
> -allow devicekit_power_t self:process getsched;
> +allow devicekit_power_t self:process { getsched signal };
> allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
> allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
> allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
> @@ -197,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
> manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
> files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
>
> +kernel_search_fs_sysctl(devicekit_power_t)
> +kernel_rw_vm_sysctls(devicekit_power_t)
> kernel_read_network_state(devicekit_power_t)
> kernel_read_system_state(devicekit_power_t)
> kernel_rw_hotplug_sysctls(devicekit_power_t)
> kernel_rw_kernel_sysctl(devicekit_power_t)
> kernel_search_debugfs(devicekit_power_t)
> kernel_write_proc_files(devicekit_power_t)
> +kernel_setsched(devicekit_power_t)
>
> corecmd_exec_bin(devicekit_power_t)
> corecmd_exec_shell(devicekit_power_t)
> @@ -219,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
>
> files_read_kernel_img(devicekit_power_t)
> files_read_etc_files(devicekit_power_t)
> +files_rw_etc_runtime_files(devicekit_power_t)
> files_read_usr_files(devicekit_power_t)
>
> fs_list_inotifyfs(devicekit_power_t)
> +fs_remount_xattr_fs(devicekit_power_t)
>
> term_use_all_terms(devicekit_power_t)
>
> @@ -234,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
>
> userdom_read_all_users_state(devicekit_power_t)
>
> +devicekit_getattr_apm_bios_files_power(devicekit_power_t)
> +
> +mount_exec_getattr(devicekit_power_t)
This interface name doesnt make sense to me
> +mount_exec(devicekit_power_t)
> +
> optional_policy(`
> bootloader_domtrans(devicekit_power_t)
> ')
> @@ -280,6 +291,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + storage_raw_read_fixed_disk(devicekit_power_t)
> +')
> +
> +optional_policy(`
> udev_read_db(devicekit_power_t)
> ')
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09hk8ACgkQMlxVo39jgT8ivACfebUqxIup1uLhdPBqnPMyIyk1
5RoAoIzgwDxb0BY+3TzwigGJ1W0e3a++
=qdkU
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread* [refpolicy] [PATCH/RFC 9/19]: patch set to update the git reference policy
2011-01-24 14:01 ` Dominick Grift
@ 2011-01-24 15:32 ` Guido Trentalancia
2011-01-24 15:34 ` Dominick Grift
0 siblings, 1 reply; 6+ messages in thread
From: Guido Trentalancia @ 2011-01-24 15:32 UTC (permalink / raw)
To: refpolicy
On Mon, 24/01/2011 at 15.01 +0100, Dominick Grift wrote:
> On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> > diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if
> > --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if 2011-01-23 23:13:48.169284451 +0100
> > +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if 2011-01-23 23:30:29.918756977 +0100
> > @@ -240,3 +240,22 @@ interface(`devicekit_admin',`
> > admin_pattern($1, devicekit_var_run_t)
> > files_search_pids($1)
> > ')
> > +
> > +########################################
> > +## <summary>
> > +## DeviceKit power getattr on APM
> > +## bios character device node files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`devicekit_getattr_apm_bios_files_power',`
> > + gen_require(`
> > + type apm_bios_t;
> > + ')
> > +
> > + getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
> > +')
>
> This interface name is wrong. It should be prefixed by the module name
> that defined it (which is not devicekit)
>
> You should also allow access to the location of the apm_bios_t
> chr_files. This interface may provide access to get attribute of
> apm_bios_t chr_files, but it does not do any good if the caller cannot
> traverse its parent(s)
Yes. Will be moved to devices.if.
> > diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te
> > --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te 2011-01-23 23:13:48.170284646 +0100
> > +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te 2011-01-23 23:31:31.456301488 +0100
> > @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
> > dev_read_urand(devicekit_t)
> >
> > files_read_etc_files(devicekit_t)
> > +files_read_etc_runtime_files(devicekit_t)
> >
> > miscfiles_read_localization(devicekit_t)
> >
> > @@ -188,7 +189,7 @@ optional_policy(`
> > #
> >
> > allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
> > -allow devicekit_power_t self:process getsched;
> > +allow devicekit_power_t self:process { getsched signal };
> > allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
> > allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
> > allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
> > @@ -197,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
> > manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
> > files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
> >
> > +kernel_search_fs_sysctl(devicekit_power_t)
> > +kernel_rw_vm_sysctls(devicekit_power_t)
> > kernel_read_network_state(devicekit_power_t)
> > kernel_read_system_state(devicekit_power_t)
> > kernel_rw_hotplug_sysctls(devicekit_power_t)
> > kernel_rw_kernel_sysctl(devicekit_power_t)
> > kernel_search_debugfs(devicekit_power_t)
> > kernel_write_proc_files(devicekit_power_t)
> > +kernel_setsched(devicekit_power_t)
> >
> > corecmd_exec_bin(devicekit_power_t)
> > corecmd_exec_shell(devicekit_power_t)
> > @@ -219,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
> >
> > files_read_kernel_img(devicekit_power_t)
> > files_read_etc_files(devicekit_power_t)
> > +files_rw_etc_runtime_files(devicekit_power_t)
> > files_read_usr_files(devicekit_power_t)
> >
> > fs_list_inotifyfs(devicekit_power_t)
> > +fs_remount_xattr_fs(devicekit_power_t)
> >
> > term_use_all_terms(devicekit_power_t)
> >
> > @@ -234,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
> >
> > userdom_read_all_users_state(devicekit_power_t)
> >
> > +devicekit_getattr_apm_bios_files_power(devicekit_power_t)
> > +
> > +mount_exec_getattr(devicekit_power_t)
>
> This interface name doesnt make sense to me
So, what name do you propose instead ?
Regards,
Guido
^ permalink raw reply [flat|nested] 6+ messages in thread* [refpolicy] [PATCH/RFC 9/19]: patch set to update the git reference policy
2011-01-24 15:32 ` Guido Trentalancia
@ 2011-01-24 15:34 ` Dominick Grift
2011-01-25 18:20 ` Guido Trentalancia
0 siblings, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2011-01-24 15:34 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 04:32 PM, Guido Trentalancia wrote:
> On Mon, 24/01/2011 at 15.01 +0100, Dominick Grift wrote:
>> On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
>>> diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if
>>> --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if 2011-01-23 23:13:48.169284451 +0100
>>> +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if 2011-01-23 23:30:29.918756977 +0100
>>> @@ -240,3 +240,22 @@ interface(`devicekit_admin',`
>>> admin_pattern($1, devicekit_var_run_t)
>>> files_search_pids($1)
>>> ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## DeviceKit power getattr on APM
>>> +## bios character device node files.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`devicekit_getattr_apm_bios_files_power',`
>>> + gen_require(`
>>> + type apm_bios_t;
>>> + ')
>>> +
>>> + getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
>>> +')
>>
>> This interface name is wrong. It should be prefixed by the module name
>> that defined it (which is not devicekit)
>>
>> You should also allow access to the location of the apm_bios_t
>> chr_files. This interface may provide access to get attribute of
>> apm_bios_t chr_files, but it does not do any good if the caller cannot
>> traverse its parent(s)
>
> Yes. Will be moved to devices.if.
>
>>> diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te
>>> --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te 2011-01-23 23:13:48.170284646 +0100
>>> +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te 2011-01-23 23:31:31.456301488 +0100
>>> @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
>>> dev_read_urand(devicekit_t)
>>>
>>> files_read_etc_files(devicekit_t)
>>> +files_read_etc_runtime_files(devicekit_t)
>>>
>>> miscfiles_read_localization(devicekit_t)
>>>
>>> @@ -188,7 +189,7 @@ optional_policy(`
>>> #
>>>
>>> allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
>>> -allow devicekit_power_t self:process getsched;
>>> +allow devicekit_power_t self:process { getsched signal };
>>> allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
>>> allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
>>> allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
>>> @@ -197,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
>>> manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
>>> files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
>>>
>>> +kernel_search_fs_sysctl(devicekit_power_t)
>>> +kernel_rw_vm_sysctls(devicekit_power_t)
>>> kernel_read_network_state(devicekit_power_t)
>>> kernel_read_system_state(devicekit_power_t)
>>> kernel_rw_hotplug_sysctls(devicekit_power_t)
>>> kernel_rw_kernel_sysctl(devicekit_power_t)
>>> kernel_search_debugfs(devicekit_power_t)
>>> kernel_write_proc_files(devicekit_power_t)
>>> +kernel_setsched(devicekit_power_t)
>>>
>>> corecmd_exec_bin(devicekit_power_t)
>>> corecmd_exec_shell(devicekit_power_t)
>>> @@ -219,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
>>>
>>> files_read_kernel_img(devicekit_power_t)
>>> files_read_etc_files(devicekit_power_t)
>>> +files_rw_etc_runtime_files(devicekit_power_t)
>>> files_read_usr_files(devicekit_power_t)
>>>
>>> fs_list_inotifyfs(devicekit_power_t)
>>> +fs_remount_xattr_fs(devicekit_power_t)
>>>
>>> term_use_all_terms(devicekit_power_t)
>>>
>>> @@ -234,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
>>>
>>> userdom_read_all_users_state(devicekit_power_t)
>>>
>>> +devicekit_getattr_apm_bios_files_power(devicekit_power_t)
>>> +
>>> +mount_exec_getattr(devicekit_power_t)
>>
>> This interface name doesnt make sense to me
>
> So, what name do you propose instead ?
something like mount_getattr_executable_file() or something. Although
besides the naming issue, i am not sure whether there is a real need for
the interface at all.
> Regards,
>
> Guido
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09nA8ACgkQMlxVo39jgT9h6ACggShQXCugLPWW3pFQBFIEMNJH
94cAn02PtH6Wr7tuO33iXQjpvPamDWL+
=94mT
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread* [refpolicy] [PATCH/RFC 9/19]: patch set to update the git reference policy
2011-01-24 15:34 ` Dominick Grift
@ 2011-01-25 18:20 ` Guido Trentalancia
2011-01-26 17:26 ` Guido Trentalancia
0 siblings, 1 reply; 6+ messages in thread
From: Guido Trentalancia @ 2011-01-25 18:20 UTC (permalink / raw)
To: refpolicy
Hello again Dominick !
On Mon, 24/01/2011 at 16.34 +0100, Dominick Grift wrote:
> On 01/24/2011 04:32 PM, Guido Trentalancia wrote:
> > On Mon, 24/01/2011 at 15.01 +0100, Dominick Grift wrote:
> >> On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> >>> diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te
> >>> --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te 2011-01-23 23:13:48.170284646 +0100
> >>> +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te 2011-01-23 23:31:31.456301488 +0100
> >>> @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
> >>> dev_read_urand(devicekit_t)
> >>>
> >>> files_read_etc_files(devicekit_t)
> >>> +files_read_etc_runtime_files(devicekit_t)
> >>>
> >>> miscfiles_read_localization(devicekit_t)
> >>>
> >>> @@ -188,7 +189,7 @@ optional_policy(`
> >>> #
> >>>
> >>> allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
> >>> -allow devicekit_power_t self:process getsched;
> >>> +allow devicekit_power_t self:process { getsched signal };
> >>> allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
> >>> allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
> >>> allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
> >>> @@ -197,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
> >>> manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
> >>> files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
> >>>
> >>> +kernel_search_fs_sysctl(devicekit_power_t)
> >>> +kernel_rw_vm_sysctls(devicekit_power_t)
> >>> kernel_read_network_state(devicekit_power_t)
> >>> kernel_read_system_state(devicekit_power_t)
> >>> kernel_rw_hotplug_sysctls(devicekit_power_t)
> >>> kernel_rw_kernel_sysctl(devicekit_power_t)
> >>> kernel_search_debugfs(devicekit_power_t)
> >>> kernel_write_proc_files(devicekit_power_t)
> >>> +kernel_setsched(devicekit_power_t)
> >>>
> >>> corecmd_exec_bin(devicekit_power_t)
> >>> corecmd_exec_shell(devicekit_power_t)
> >>> @@ -219,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
> >>>
> >>> files_read_kernel_img(devicekit_power_t)
> >>> files_read_etc_files(devicekit_power_t)
> >>> +files_rw_etc_runtime_files(devicekit_power_t)
> >>> files_read_usr_files(devicekit_power_t)
> >>>
> >>> fs_list_inotifyfs(devicekit_power_t)
> >>> +fs_remount_xattr_fs(devicekit_power_t)
> >>>
> >>> term_use_all_terms(devicekit_power_t)
> >>>
> >>> @@ -234,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
> >>>
> >>> userdom_read_all_users_state(devicekit_power_t)
> >>>
> >>> +devicekit_getattr_apm_bios_files_power(devicekit_power_t)
> >>> +
> >>> +mount_exec_getattr(devicekit_power_t)
> >>
> >> This interface name doesnt make sense to me
> >
> > So, what name do you propose instead ?
>
>
> something like mount_getattr_executable_file() or something. Although
> besides the naming issue, i am not sure whether there is a real need for
> the interface at all.
The name has been changed according to the one that you proposed. Yes,
it's needed, unless the explcit permissions are written down as allowed
rules in the TE file, which is not very readable.
Regards,
Guido
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-01-26 17:26 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-01-24 0:44 [refpolicy] [PATCH/RFC 9/19]: patch set to update the git reference policy Guido Trentalancia
2011-01-24 14:01 ` Dominick Grift
2011-01-24 15:32 ` Guido Trentalancia
2011-01-24 15:34 ` Dominick Grift
2011-01-25 18:20 ` Guido Trentalancia
2011-01-26 17:26 ` Guido Trentalancia
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.