SELinuxPolicy

From Linux Checkpoint / Restart Wiki
Revision as of 20:22, 4 March 2010 by Hallyn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

For checkpoint/restart we introduce a new 'restore' permission to a few SELinux object classes: process, file, ipc, and msg.

When restarting a process, you can specify the '-k' flag to request the checkpointed SELinux labels be restored. Doing so requires that the domain in which /bin/restart is running have the class:restore permission for the checkpointed label.

Note that for the most part you can simply not use -k and not need the restore permissions. However if the application was checkpointed with non-empty sysvipc message queues, then msg:restore permission will still be needed. (This will probably change.)

To do so, you must recompile your SELinux policy to be aware of the restore labels. You'll want to edit refpolicy-$version/policy/flask/access_vectors to add 'restore' to the common ipc, class file, class ipc, and class msg. After recompiling and installing, you'll need to go to /usr/share/selinux/devel/include/support and edit all_perms.spt to add restore to all_file_perms, all_process_perms, all_ipc_perms, and all_msg_perms.

Of course the above should all be done in upstream policy when checkpoint/restart hits upstream kernel.

You can then compile a small module, such as the one below, which gives unconfined_t restore permission to itself.

<blockquote> cd /usr/share/selinux cp -r devel cr cd cr rm example* touch cr.if touch cr.fc cat > cr.te << EOF policy_module(cr,1.0.0) ######################################## # # Declarations # gen_require(` type unconfined_t; ') allow unconfined_t unconfined_t:process restore; allow unconfined_t unconfined_t:ipc restore; allow unconfined_t unconfined_t:file restore; allow unconfined_t unconfined_t:file fown_restore; allow unconfined_t unconfined_t:msg restore; EOF make semodule -i cr.pp </blockquote>

Personal tools