Re: Latest diffs

On Wed, 2007-01-03 at 15:48 -0600, Klaus Weidner wrote:
> On Wed, Jan 03, 2007 at 11:54:44AM -0500, Daniel J Walsh wrote:
> > sudo reads netlink_route_socket,  wants to look at the kernel key ring, 
> > stores a token in the pam_pid directory, and needs to getattr on all 
> > "user" executables.
> > 
> > Some changes to su in order to handle key rings,  Needs 
> > mls_file_write_down.  Need to be able to su from different domains, and 
> > pam_rootok causes some selinux_compute_access checks.
> [...]
> > sshd wants to look at kernel key ring
> [...]
> > fixes for authlogin handling of keyrings and mls, as well as pcscd
> 
> I'm confused about what kernel keyring features are currently available
> in the current policy, and who gets to use them.

I haven't had a chance to look at the patch, but what is currently
upstream does not allow users to do anything with keys.  Here's the
current rules across the entire upstream repo (which includes modules
not enabled in the lspp policy):

allow crond_t kernel_t:key search;
allow crond_t local_login_t:key link;
allow crond_t local_login_t:key search;
allow crond_t self:key { search write link };
allow initrc_su_t kernel_t:key search;
allow initrc_su_t self:key { search write };
allow local_login_t kernel_t:key link;
allow local_login_t kernel_t:key search;
allow local_login_t self:key { search write link };
allow local_login_t userdomain:key create;
allow remote_login_t self:key write;
allow sshd_t kernel_t:key link;
allow sshd_t self:key { search link write };
allow unconfined_domain_type domain:key *;
allow xdm_t self:key { search link write };
allow xdm_t userdomain:key create;

--

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@... with
the words "unsubscribe selinux" without quotes as the message.