[selinux-policy: 2097/3172] trunk: 4 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:06:03 UTC 2010
commit c90440a7cd8faaaf027614fff148c2d16c04e047
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Mar 11 13:32:23 2009 +0000
trunk: 4 patches from dan.
policy/modules/apps/games.if | 19 +++++++++++++++++++
policy/modules/apps/games.te | 2 +-
policy/modules/apps/loadkeys.te | 3 ++-
policy/modules/apps/mplayer.fc | 1 +
policy/modules/apps/mplayer.if | 19 +++++++++++++++++++
policy/modules/apps/mplayer.te | 2 +-
policy/modules/apps/slocate.te | 6 ++++--
7 files changed, 47 insertions(+), 5 deletions(-)
---
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index c136e1f..7ac736d 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -30,3 +30,22 @@ interface(`games_role',`
ps_process_pattern($2, games_t)
allow $2 games_t:process signal_perms;
')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## games data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`games_rw_data',`
+ gen_require(`
+ type games_data_t;
+ ')
+
+ rw_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index b090917..c1e48d6 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
-policy_module(games, 2.0.1)
+policy_module(games, 2.0.2)
########################################
#
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index e7aa67d..bd75a77 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -1,5 +1,5 @@
-policy_module(loadkeys, 1.5.0)
+policy_module(loadkeys, 1.5.1)
########################################
#
@@ -40,6 +40,7 @@ locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
userdom_use_user_ttys(loadkeys_t)
+userdom_list_user_home_dirs(loadkeys_t)
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc
index ab54284..e1fe850 100644
--- a/policy/modules/apps/mplayer.fc
+++ b/policy/modules/apps/mplayer.fc
@@ -8,6 +8,7 @@
#
/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
+/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 8944655..1f9adca 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -67,6 +67,25 @@ interface(`mplayer_domtrans',`
########################################
## <summary>
+## Execute mplayer in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`mplayer_exec',`
+ gen_require(`
+ type mplayer_exec_t;
+ ')
+
+ can_exec($1, mplayer_exec_t)
+')
+
+########################################
+## <summary>
## Read mplayer per user homedir
## </summary>
## <param name="domain">
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 83c177c..fe54f00 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -1,5 +1,5 @@
-policy_module(mplayer, 2.0.0)
+policy_module(mplayer, 2.0.1)
########################################
#
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index 01915af..17914c9 100644
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -1,5 +1,5 @@
-policy_module(slocate, 1.8.0)
+policy_module(slocate, 1.8.1)
#################################
#
@@ -22,7 +22,7 @@ files_type(locate_var_lib_t)
#
allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
-allow locate_t self:process { execmem execheap execstack };
+allow locate_t self:process { execmem execheap execstack signal };
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
@@ -46,6 +46,8 @@ files_read_etc_files(locate_t)
fs_getattr_all_fs(locate_t)
fs_getattr_all_files(locate_t)
+fs_getattr_all_pipes(locate_t)
+fs_getattr_all_symlinks(locate_t)
fs_list_all(locate_t)
fs_list_inotifyfs(locate_t)
More information about the scm-commits
mailing list