[selinux-policy: 2097/3172] trunk: 4 patches from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:06:03 UTC 2010 

commit c90440a7cd8faaaf027614fff148c2d16c04e047
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Mar 11 13:32:23 2009 +0000

    trunk: 4 patches from dan.

 policy/modules/apps/games.if    |   19 +++++++++++++++++++
 policy/modules/apps/games.te    |    2 +-
 policy/modules/apps/loadkeys.te |    3 ++-
 policy/modules/apps/mplayer.fc  |    1 +
 policy/modules/apps/mplayer.if  |   19 +++++++++++++++++++
 policy/modules/apps/mplayer.te  |    2 +-
 policy/modules/apps/slocate.te  |    6 ++++--
 7 files changed, 47 insertions(+), 5 deletions(-)
---
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index c136e1f..7ac736d 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -30,3 +30,22 @@ interface(`games_role',`
 	ps_process_pattern($2, games_t)
 	allow $2 games_t:process signal_perms;
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	games data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`games_rw_data',`
+	gen_require(`
+		type games_data_t;
+	')
+
+	rw_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index b090917..c1e48d6 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
 
-policy_module(games, 2.0.1)
+policy_module(games, 2.0.2)
 
 ########################################
 #
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index e7aa67d..bd75a77 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -1,5 +1,5 @@
 
-policy_module(loadkeys, 1.5.0)
+policy_module(loadkeys, 1.5.1)
 
 ########################################
 #
@@ -40,6 +40,7 @@ locallogin_use_fds(loadkeys_t)
 miscfiles_read_localization(loadkeys_t)
 
 userdom_use_user_ttys(loadkeys_t)
+userdom_list_user_home_dirs(loadkeys_t)
 
 optional_policy(`
 	nscd_dontaudit_search_pid(loadkeys_t)
diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc
index ab54284..e1fe850 100644
--- a/policy/modules/apps/mplayer.fc
+++ b/policy/modules/apps/mplayer.fc
@@ -8,6 +8,7 @@
 #
 /usr/bin/mplayer	--	gen_context(system_u:object_r:mplayer_exec_t,s0)
 /usr/bin/mencoder	--	gen_context(system_u:object_r:mencoder_exec_t,s0)
+/usr/bin/vlc		--	gen_context(system_u:object_r:mplayer_exec_t,s0)
 /usr/bin/xine		--	gen_context(system_u:object_r:mplayer_exec_t,s0)
 
 HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:mplayer_home_t,s0)
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 8944655..1f9adca 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -67,6 +67,25 @@ interface(`mplayer_domtrans',`
 
 ########################################
 ## <summary>
+##      Execute mplayer in the caller domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+#
+interface(`mplayer_exec',`
+	gen_require(`
+		type mplayer_exec_t;
+	')
+
+	can_exec($1, mplayer_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read mplayer per user homedir
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 83c177c..fe54f00 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -1,5 +1,5 @@
 
-policy_module(mplayer, 2.0.0)
+policy_module(mplayer, 2.0.1)
 
 ########################################
 #
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index 01915af..17914c9 100644
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -1,5 +1,5 @@
 
-policy_module(slocate, 1.8.0)
+policy_module(slocate, 1.8.1)
 
 #################################
 #
@@ -22,7 +22,7 @@ files_type(locate_var_lib_t)
 #
 
 allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
-allow locate_t self:process { execmem execheap execstack };
+allow locate_t self:process { execmem execheap execstack signal };
 allow locate_t self:fifo_file rw_fifo_file_perms;
 allow locate_t self:unix_stream_socket create_socket_perms;
 
@@ -46,6 +46,8 @@ files_read_etc_files(locate_t)
 
 fs_getattr_all_fs(locate_t)
 fs_getattr_all_files(locate_t)
+fs_getattr_all_pipes(locate_t)
+fs_getattr_all_symlinks(locate_t)
 fs_list_all(locate_t)
 fs_list_inotifyfs(locate_t)

More information about the scm-commits mailing list