[selinux-policy: 2751/3172] Slocate patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:04:46 UTC 2010
commit eab2cc89b49f18eb6bc2b571f24737c843eec8ca
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jun 22 09:58:14 2010 -0400
Slocate patch from Dan Walsh.
Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
policy/modules/apps/slocate.te | 6 ++++-
policy/modules/kernel/filesystem.if | 38 +++++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.te | 2 +-
3 files changed, 44 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index fc443ec..e9134f0 100644
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -1,4 +1,4 @@
-policy_module(slocate, 1.9.0)
+policy_module(slocate, 1.9.1)
#################################
#
@@ -29,6 +29,7 @@ manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
kernel_read_system_state(locate_t)
+kernel_dontaudit_search_network_state(locate_t)
kernel_dontaudit_search_sysctl(locate_t)
corecmd_exec_bin(locate_t)
@@ -47,8 +48,11 @@ fs_getattr_all_fs(locate_t)
fs_getattr_all_files(locate_t)
fs_getattr_all_pipes(locate_t)
fs_getattr_all_symlinks(locate_t)
+fs_getattr_all_blk_files(locate_t)
+fs_getattr_all_chr_files(locate_t)
fs_list_all(locate_t)
fs_list_inotifyfs(locate_t)
+fs_read_noxattr_fs_symlinks(locate_t)
# getpwnam
auth_use_nsswitch(locate_t)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 85b3bb4..0df5803 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4574,6 +4574,44 @@ interface(`fs_dontaudit_getattr_all_sockets',`
########################################
## <summary>
+## Get the attributes of all block device nodes with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_blk_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ getattr_blk_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+## Get the attributes of all character device nodes with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_chr_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ getattr_chr_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
## Unconfined access to filesystems
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 5637b17..fb63c3a 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.13.0)
+policy_module(filesystem, 1.13.1)
########################################
#
More information about the scm-commits
mailing list