[selinux-policy: 2003/3172] trunk: networkmanager/ppp patch from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:57:59 UTC 2010
commit ae3386373a6dbb01ca21fa6480a2c774e3dbeeab
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Sep 11 13:35:06 2008 +0000
trunk: networkmanager/ppp patch from dan.
policy/modules/services/networkmanager.if | 37 +++++++++++++++++++++++++++++
policy/modules/services/networkmanager.te | 8 +++++-
policy/modules/services/ppp.fc | 2 +
policy/modules/services/ppp.if | 18 ++++++++++++++
policy/modules/services/ppp.te | 10 +++++--
5 files changed, 71 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 9e9d836..e874197 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -97,3 +97,40 @@ interface(`networkmanager_dbus_chat',`
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Send a generic signal to NetworkManager
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process signal;
+')
+
+########################################
+## <summary>
+## Read NetworkManager PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_read_pid_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 NetworkManager_var_run_t:file read_file_perms;
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index fc92ba1..a656bb8 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager, 1.10.0)
+policy_module(networkmanager, 1.10.1)
########################################
#
@@ -10,6 +10,12 @@ type NetworkManager_t;
type NetworkManager_exec_t;
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
+type NetworkManager_script_exec_t;
+init_script_file(NetworkManager_script_exec_t)
+
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 6ea513d..43a091a 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -1,6 +1,8 @@
#
# /etc
#
+/etc/rc.d/init.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
+
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 2ce1141..6997c1a 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -76,6 +76,24 @@ interface(`ppp_signal',`
########################################
## <summary>
+## Send a generic signull to PPP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_signull',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process signull;
+')
+
+########################################
+## <summary>
## Execute domain in the ppp domain.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 2ed25ee..a45d833 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
-policy_module(ppp, 1.8.0)
+policy_module(ppp, 1.8.1)
########################################
#
@@ -71,7 +71,7 @@ files_pid_file(pptp_var_run_t)
# PPPD Local policy
#
-allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process signal;
allow pppd_t self:fifo_file rw_fifo_file_perms;
@@ -116,7 +116,7 @@ allow pppd_t pppd_secret_t:file read_file_perms;
kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
-kernel_read_net_sysctls(pppd_t)
+kernel_rw_net_sysctls(pppd_t)
kernel_read_network_state(pppd_t)
kernel_load_module(pppd_t)
@@ -200,6 +200,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_signal(pppd_t)
+')
+
+optional_policy(`
postfix_domtrans_master(pppd_t)
')
More information about the scm-commits
mailing list