[selinux-policy: 2751/3172] Slocate patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:04:46 UTC 2010 

commit eab2cc89b49f18eb6bc2b571f24737c843eec8ca
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jun 22 09:58:14 2010 -0400

    Slocate patch from Dan Walsh.
    
    Locate attempts to look at network sate and does getattr on all blk/chr
    and noxattr symlinks.

 policy/modules/apps/slocate.te      |    6 ++++-
 policy/modules/kernel/filesystem.if |   38 +++++++++++++++++++++++++++++++++++
 policy/modules/kernel/filesystem.te |    2 +-
 3 files changed, 44 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index fc443ec..e9134f0 100644
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -1,4 +1,4 @@
-policy_module(slocate, 1.9.0)
+policy_module(slocate, 1.9.1)
 
 #################################
 #
@@ -29,6 +29,7 @@ manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
 manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
 
 kernel_read_system_state(locate_t)
+kernel_dontaudit_search_network_state(locate_t)
 kernel_dontaudit_search_sysctl(locate_t)
 
 corecmd_exec_bin(locate_t)
@@ -47,8 +48,11 @@ fs_getattr_all_fs(locate_t)
 fs_getattr_all_files(locate_t)
 fs_getattr_all_pipes(locate_t)
 fs_getattr_all_symlinks(locate_t)
+fs_getattr_all_blk_files(locate_t)
+fs_getattr_all_chr_files(locate_t)
 fs_list_all(locate_t)
 fs_list_inotifyfs(locate_t)
+fs_read_noxattr_fs_symlinks(locate_t)
 
 # getpwnam
 auth_use_nsswitch(locate_t)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 85b3bb4..0df5803 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4574,6 +4574,44 @@ interface(`fs_dontaudit_getattr_all_sockets',`
 
 ########################################
 ## <summary>
+##	Get the attributes of all block device nodes with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_blk_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_blk_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all character device nodes with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_chr_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_chr_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
 ##	Unconfined access to filesystems
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 5637b17..fb63c3a 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.13.0)
+policy_module(filesystem, 1.13.1)
 
 ########################################
 #

More information about the scm-commits mailing list