SELinuxPolicy
(Created page with 'For checkpoint/restart we introduce a new 'restore' permission to a few SELinux object classes: process, file, ipc, and msg. When restarting a process, you can specify the '-k' …') |
|||
| Line 1: | Line 1: | ||
For checkpoint/restart we introduce a new 'restore' permission to a few SELinux object | For checkpoint/restart we introduce a new 'restore' permission to a few SELinux object | ||
classes: process, file, ipc, and msg. | classes: process, file, ipc, and msg. | ||
| − | |||
| − | |||
| − | |||
| − | |||
Note that for the most part you can simply not use -k and not need the restore | Note that for the most part you can simply not use -k and not need the restore | ||
| Line 11: | Line 7: | ||
will probably change.) | will probably change.) | ||
| − | To do so, you | + | When restarting a process, you can specify the '-k' flag to request the checkpointed |
| − | You'll want to edit refpolicy-$version/policy/flask/access_vectors to add 'restore' | + | SELinux labels be restored. Doing so requires that the domain in which /bin/restart |
| − | to the common ipc, class file, class ipc, and class msg. After recompiling and | + | is running have the class:restore permission for the checkpointed label. |
| − | installing, you'll need to go to /usr/share/selinux/devel/include/support and edit | + | |
| − | all_perms.spt to add restore to all_file_perms, all_process_perms, all_ipc_perms, and | + | To do so, you can do one of two things. First, you can compile a policy which |
| − | all_msg_perms. | + | defaults to 'allow' for unknown permissions. See the UNK_PERMS variable in refpolicy/build.conf. Alternatively, you can recompile your SELinux policy to be aware of the restore labels. You'll want to edit refpolicy-$version/policy/flask/access_vectors to add 'restore' to the common ipc, class file, class ipc, and class msg. After recompiling and installing, you'll need to go to /usr/share/selinux/devel/include/support and edit all_perms.spt to add restore to all_file_perms, all_process_perms, all_ipc_perms, and all_msg_perms. |
Of course the above should all be done in upstream policy when checkpoint/restart | Of course the above should all be done in upstream policy when checkpoint/restart | ||
Revision as of 20:28, 4 March 2010
For checkpoint/restart we introduce a new 'restore' permission to a few SELinux object classes: process, file, ipc, and msg.
Note that for the most part you can simply not use -k and not need the restore permissions. However if the application was checkpointed with non-empty sysvipc message queues, then msg:restore permission will still be needed. (This will probably change.)
When restarting a process, you can specify the '-k' flag to request the checkpointed SELinux labels be restored. Doing so requires that the domain in which /bin/restart is running have the class:restore permission for the checkpointed label.
To do so, you can do one of two things. First, you can compile a policy which defaults to 'allow' for unknown permissions. See the UNK_PERMS variable in refpolicy/build.conf. Alternatively, you can recompile your SELinux policy to be aware of the restore labels. You'll want to edit refpolicy-$version/policy/flask/access_vectors to add 'restore' to the common ipc, class file, class ipc, and class msg. After recompiling and installing, you'll need to go to /usr/share/selinux/devel/include/support and edit all_perms.spt to add restore to all_file_perms, all_process_perms, all_ipc_perms, and all_msg_perms.
Of course the above should all be done in upstream policy when checkpoint/restart hits upstream kernel.
You can then compile a small module, such as the one below, which gives unconfined_t restore permission to itself.
<blockquote> cd /usr/share/selinux cp -r devel cr cd cr rm example* touch cr.if touch cr.fc cat > cr.te << EOF policy_module(cr,1.0.0) ######################################## # # Declarations # gen_require(` type unconfined_t; ') allow unconfined_t unconfined_t:process restore; allow unconfined_t unconfined_t:ipc restore; allow unconfined_t unconfined_t:file restore; allow unconfined_t unconfined_t:file fown_restore; allow unconfined_t unconfined_t:msg restore; EOF make semodule -i cr.pp </blockquote>
