[selinux-policy: 1350/3172] second part of dans patch Tue, 11 Apr 2006 09:25:24 -0400

Thu Oct 7 21:02:11 UTC 2010

commit c655ec47f91afd556b811edd707dbb8c7dd8efc0
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Apr 12 16:58:23 2006 +0000

    second part of dans patch Tue, 11 Apr 2006 09:25:24 -0400

 refpolicy/policy/modules/apps/ada.fc          |    9 +++++++
 refpolicy/policy/modules/apps/ada.if          |   29 +++++++++++++++++++++++++
 refpolicy/policy/modules/apps/ada.te          |   23 +++++++++++++++++++
 refpolicy/policy/modules/apps/mono.te         |   10 +++++++-
 refpolicy/policy/modules/kernel/devices.if    |   19 ++++++++++++++++
 refpolicy/policy/modules/kernel/devices.te    |    2 +-
 refpolicy/policy/modules/services/hal.te      |    4 ++-
 refpolicy/policy/modules/system/unconfined.te |    8 +++---
 8 files changed, 97 insertions(+), 7 deletions(-)
---

diff --git a/refpolicy/policy/modules/apps/ada.fc b/refpolicy/policy/modules/apps/ada.fc
new file mode 100644
index 0000000..01a8572
--- /dev/null
+++ b/refpolicy/policy/modules/apps/ada.fc
@@ -0,0 +1,9 @@
+#
+# /usr
+#
+ifdef(`targeted_policy',`
+/usr/bin/gnatbind	--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatls		--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatmake	--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/apps/ada.if b/refpolicy/policy/modules/apps/ada.if
new file mode 100644
index 0000000..6d8950f
--- /dev/null
+++ b/refpolicy/policy/modules/apps/ada.if
@@ -0,0 +1,29 @@
+## <summary>GNAT Ada95 compiler</summary>
+
+########################################
+## <summary>
+##	Execute the ada program in the ada domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ada_domtrans',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type ada_t, ada_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domain_auto_trans($1, ada_exec_t, ada_t)
+
+		allow $1 ada_t:fd use;
+		allow ada_t $1:fd use;
+		allow ada_t $1:fifo_file rw_file_perms;
+		allow ada_t $1:process sigchld;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')
diff --git a/refpolicy/policy/modules/apps/ada.te b/refpolicy/policy/modules/apps/ada.te
new file mode 100644
index 0000000..f8167b8
--- /dev/null
+++ b/refpolicy/policy/modules/apps/ada.te
@@ -0,0 +1,23 @@
+
+policy_module(ada,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ada_t;
+type ada_exec_t;
+domain_type(ada_t)
+domain_entry_file(ada_t,ada_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow ada_t self:process { execstack execmem };
+	unconfined_domain_noaudit(ada_t)
+	role system_r types ada_t;
+')
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
index a3bfa8b..1715c18 100644
--- a/refpolicy/policy/modules/apps/mono.te
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono,1.1.0)
+policy_module(mono,1.1.1)
 
 ########################################
 #
@@ -21,4 +21,12 @@ ifdef(`targeted_policy',`
 	allow mono_t self:process { execheap execmem };
 	unconfined_domain_noaudit(mono_t)
 	role system_r types mono_t;
+
+	optional_policy(`
+		avahi_dbus_chat(mono_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(mono_t)
+	')
 ')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 1ee19c4..62ff408 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2532,6 +2532,25 @@ interface(`dev_list_usbfs',`
 
 ########################################
 ## <summary>
+##	Set the attributes of usbfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_usbfs_files',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	allow $1 usbfs_t:dir r_dir_perms;
+	allow $1 usbfs_t:file setattr;
+')
+
+########################################
+## <summary>
 ##	Read USB hardware information using
 ##	the usbfs filesystem interface.
 ## </summary>
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 8e9f377..8f6bd83 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.9)
+policy_module(devices,1.1.10)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 6895d46..877926b 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.3)
+policy_module(hal,1.3.4)
 
 ########################################
 #
@@ -80,6 +80,8 @@ dev_read_lvm_control(hald_t)
 dev_getattr_all_chr_files(hald_t)
 dev_manage_generic_chr_files(hald_t)
 dev_rw_generic_usb_dev(hald_t)
+dev_setattr_generic_usb_dev(hald_t)
+dev_setattr_usbfs_files(hald_t)
 
 # hal is now execing pm-suspend
 dev_rw_sysfs(hald_t)
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 0674249..1d48a90 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.4)
+policy_module(unconfined,1.3.5)
 
 ########################################
 #
@@ -41,9 +41,9 @@ ifdef(`targeted_policy',`
 	userdom_unconfined(unconfined_t)
 	userdom_priveleged_home_dir_manager(unconfined_t)
 
-#	optional_policy(`
-#		ada_domtrans(unconfined_t)
-#	')
+	optional_policy(`
+		ada_domtrans(unconfined_t)
+	')
 
 	optional_policy(`
 		amanda_domtrans_recover(unconfined_t)
