From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 2 Jul 2012 10:47:43 -0400
Subject: [refpolicy] [PATCH v2 2/6] Allow init scripts to handle sysctls
In-Reply-To: <1340911046-30441-3-git-send-email-sven.vermeulen@siphos.be>
References: <1340911046-30441-1-git-send-email-sven.vermeulen@siphos.be>
	<1340911046-30441-3-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <4FF1B48F.4060909@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/28/12 15:17, Sven Vermeulen wrote:
> The init script(s) that set/reset the sysctl's require the sys_admin capability
> (as you cannot change sysctls without it).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/init.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 9fdd704..7dfd9a9 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -222,7 +222,7 @@ optional_policy(`
>  #
>  
>  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
> -allow initrc_t self:capability ~{ sys_admin sys_module };
> +allow initrc_t self:capability ~{ sys_module };
>  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
>  allow initrc_t self:passwd rootok;
>  allow initrc_t self:key manage_key_perms;

We typically try to separate out the sys_admin privileges since its so broad.  Can a new domain be created?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com