[selinux-policy: 2896/3172] Allow hugetlbfs_t to be on device_t file system Allow sudo domains to signal user domains Dontaudit

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:17:51 UTC 2010 

commit 1a82786cc8ae6025bfdfdd3a8da5fd0f80236899
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Fri Sep 10 10:10:34 2010 -0400

    Allow hugetlbfs_t to be on device_t file system
    Allow sudo domains to signal user domains
    Dontaudit xdm_t sending signals to all domains
    Fix allow_exec* boolean descriptions

 policy/global_tunables              |    6 +++---
 policy/modules/admin/sudo.if        |    1 +
 policy/modules/kernel/domain.if     |   19 +++++++++++++++++++
 policy/modules/kernel/filesystem.te |    2 +-
 policy/modules/services/xserver.te  |    1 +
 5 files changed, 25 insertions(+), 4 deletions(-)
---
diff --git a/policy/global_tunables b/policy/global_tunables
index 56af226..f85244d 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
 
 ## <desc>
 ## <p>
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
 ## </p>
 ## </desc>
 gen_tunable(allow_execmem,false)
 
 ## <desc>
 ## <p>
-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
 ## </p>
 ## </desc>
 gen_tunable(allow_execmod,false)
 
 ## <desc>
 ## <p>
-## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
 ## </p>
 ## </desc>
 gen_tunable(allow_execstack,false)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 464a11e..2993130 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -140,6 +140,7 @@ template(`sudo_role_template',`
 	userdom_manage_user_tmp_files($1_sudo_t)
 	userdom_manage_user_tmp_symlinks($1_sudo_t)
 	userdom_use_user_terminals($1_sudo_t)
+	userdom_signal_unpriv_users($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_search_user_home_content($1_sudo_t)
 	userdom_search_admin_dir($1_sudo_t)
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 09d4b31..0d8458a 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',`
 
 ########################################
 ## <summary>
+##	Dontaudit sending general signals to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_dontaudit_signal_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process signal;
+')
+
+########################################
+## <summary>
 ##	Send a null signal to all domains.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 31ebaa7..a09ab47 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -102,7 +102,7 @@ type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
-dev_associate_sysfs(hugetlbfs_t)
+dev_associate(hugetlbfs_t)
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9b9e013..5fbf38f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -576,6 +576,7 @@ domain_use_interactive_fds(xdm_t)
 # Do not audit denied probes of /proc.
 domain_dontaudit_read_all_domains_state(xdm_t)
 domain_dontaudit_ptrace_all_domains(xdm_t)
+domain_dontaudit_signal_all_domains(xdm_t)
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)

More information about the scm-commits mailing list