[DSE-Dev] refpolicy: patch rpc

[Christopher J. PeBenito]

On Mon, 2008-02-25 at 13:38 +0100, Václav Ovsík wrote:
> Hi,
> following denials appears during startup of rpc.statd (nfs-common
> service) on Debian Sid:
> 
> Feb 22 23:27:45 sid kernel: audit(1203719264.336:3): avc:  denied  { search } for  pid=1482 comm="rpc.statd" name="sbin" dev=sda1 ino=245761 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
> Feb 22 23:27:45 sid kernel: audit(1203719264.336:4): avc:  denied  { execute } for  pid=1482 comm="rpc.statd" name="sm-notify" dev=sda1 ino=376910 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> Feb 22 23:27:45 sid kernel: audit(1203719264.336:5): avc:  denied  { execute_no_trans } for  pid=1482 comm="rpc.statd" name="sm-notify" dev=sda1 ino=376910 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> Feb 22 23:27:45 sid kernel: audit(1203719264.336:6): avc:  denied  { read } for  pid=1482 comm="rpc.statd" name="sm-notify" dev=sda1 ino=376910 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> Feb 22 23:27:45 sid kernel: audit(1203719264.724:7): avc:  denied  { search } for  pid=1482 comm="sm-notify" name="fs" dev=proc ino=-268435429 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir

> @@ -60,10 +60,13 @@
>  manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
>  files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
>  
> +corecmd_exec_bin(rpcd_t)
> +
>  kernel_read_system_state(rpcd_t) 
>  kernel_search_network_state(rpcd_t) 
>  # for rpc.rquotad
>  kernel_read_sysctl(rpcd_t)  
> +kernel_rw_fs_sysctls(rpcd_t)
>  
>  fs_list_rpc(rpcd_t)
>  fs_read_rpc_files(rpcd_t)

Perhaps we should make sm-notify rpcd_exec_t and allow exec on that?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150