[selinux-policy: 2716/3172] Kernel patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:01:40 UTC 2010
commit 60f04fcb7adadd7969eaec59eff008d9ca7ee8ec
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jun 7 11:08:35 2010 -0400
Kernel patch from Dan Walsh.
Add ability to dontaudit requiests to load kernel modules. If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.
Better handling of unlabeled files by the kernel interfaces
policy/modules/kernel/kernel.if | 53 +++++++++++++++++++++++++++++++++++++++
policy/modules/kernel/kernel.te | 2 +-
2 files changed, 54 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 0352a19..814da80 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -534,6 +534,24 @@ interface(`kernel_request_load_module',`
########################################
## <summary>
+## Do not audit requests to the kernel to load a module.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_request_load_module',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:system module_request;
+')
+
+########################################
+## <summary>
## Get information on all System V IPC objects.
## </summary>
## <param name="domain">
@@ -2046,6 +2064,23 @@ interface(`kernel_mount_unlabeled',`
allow $1 unlabeled_t:filesystem mount;
')
+########################################
+## <summary>
+## Unmount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_unmount_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:filesystem unmount;
+')
########################################
## <summary>
@@ -2195,6 +2230,24 @@ interface(`kernel_rw_unlabeled_dirs',`
########################################
## <summary>
+## Read and write unlabeled files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to get the
## attributes of an unlabeled file.
## </summary>
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 78fb6b2..b0b4617 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel, 1.12.0)
+policy_module(kernel, 1.12.1)
########################################
#
More information about the scm-commits
mailing list