On Sat, 2008-07-19 at 22:50 +0200, david@xxxxxxxxxxx wrote:
> plain text document attachment (policy_modules_system_raid.patch)
> The original patch also added dev_read_realtime_clock(mdadm_t)
> which I removed since I couldn't find a version of mdadm in
> Debian or RedHat which actually read /dev/rtc (and likewise
> for /sbin/mdmpd on RH).
Partial merge (see below)
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.0/policy/modules/system/raid.te
> --- nsaserefpolicy/policy/modules/system/raid.te 2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/system/raid.te 2008-07-15 14:05:13.000000000 -0400
> @@ -19,7 +19,7 @@
> # Local policy
> #
>
> -allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
> +allow mdadm_t self:capability { dac_override mknod sys_admin ipc_lock };
> dontaudit mdadm_t self:capability sys_tty_config;
> allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
> allow mdadm_t self:fifo_file rw_fifo_file_perms;
An explicit mknod isn't needed because storage_manage_fixed_disk()
provides the capability.
> @@ -86,3 +86,7 @@
> optional_policy(`
> udev_read_db(mdadm_t)
> ')
> +
> +optional_policy(`
> + unconfined_domain(mdadm_t)
> +')
This part is merged.
--
Chris PeBenito
<pebenito@xxxxxxxxxx>
Developer,
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
Attachment:
signature.asc
Description: This is a digitally signed message part
