[selinux-policy: 2003/3172] trunk: networkmanager/ppp patch from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:57:59 UTC 2010 

commit ae3386373a6dbb01ca21fa6480a2c774e3dbeeab
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Sep 11 13:35:06 2008 +0000

    trunk: networkmanager/ppp patch from dan.

 policy/modules/services/networkmanager.if |   37 +++++++++++++++++++++++++++++
 policy/modules/services/networkmanager.te |    8 +++++-
 policy/modules/services/ppp.fc            |    2 +
 policy/modules/services/ppp.if            |   18 ++++++++++++++
 policy/modules/services/ppp.te            |   10 +++++--
 5 files changed, 71 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 9e9d836..e874197 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -97,3 +97,40 @@ interface(`networkmanager_dbus_chat',`
 	allow $1 NetworkManager_t:dbus send_msg;
 	allow NetworkManager_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Send a generic signal to NetworkManager
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read NetworkManager PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_read_pid_files',`
+	gen_require(`
+		type NetworkManager_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 NetworkManager_var_run_t:file read_file_perms;
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index fc92ba1..a656bb8 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
 
-policy_module(networkmanager, 1.10.0)
+policy_module(networkmanager, 1.10.1)
 
 ########################################
 #
@@ -10,6 +10,12 @@ type NetworkManager_t;
 type NetworkManager_exec_t;
 init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
 
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
+type NetworkManager_script_exec_t;
+init_script_file(NetworkManager_script_exec_t)
+
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
 
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 6ea513d..43a091a 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -1,6 +1,8 @@
 #
 # /etc
 #
+/etc/rc.d/init.d/ppp		--	gen_context(system_u:object_r:pppd_script_exec_t,s0)
+
 /etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
 /etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 2ce1141..6997c1a 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -76,6 +76,24 @@ interface(`ppp_signal',`
 
 ########################################
 ## <summary>
+##	Send a generic signull to PPP.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_signull',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:process signull;
+')
+
+########################################
+## <summary>
 ##	 Execute domain in the ppp domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 2ed25ee..a45d833 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
 
-policy_module(ppp, 1.8.0)
+policy_module(ppp, 1.8.1)
 
 ########################################
 #
@@ -71,7 +71,7 @@ files_pid_file(pptp_var_run_t)
 # PPPD Local policy
 #
 
-allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
 dontaudit pppd_t self:capability sys_tty_config;
 allow pppd_t self:process signal;
 allow pppd_t self:fifo_file rw_fifo_file_perms;
@@ -116,7 +116,7 @@ allow pppd_t pppd_secret_t:file read_file_perms;
 
 kernel_read_kernel_sysctls(pppd_t)
 kernel_read_system_state(pppd_t)
-kernel_read_net_sysctls(pppd_t)
+kernel_rw_net_sysctls(pppd_t)
 kernel_read_network_state(pppd_t)
 kernel_load_module(pppd_t)
 
@@ -200,6 +200,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_signal(pppd_t)
+')
+
+optional_policy(`
 	postfix_domtrans_master(pppd_t)
 ')

More information about the scm-commits mailing list