[selinux-policy: 2896/3172] Allow hugetlbfs_t to be on device_t file system Allow sudo domains to signal user domains Dontaudit
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:17:51 UTC 2010
commit 1a82786cc8ae6025bfdfdd3a8da5fd0f80236899
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Sep 10 10:10:34 2010 -0400
Allow hugetlbfs_t to be on device_t file system
Allow sudo domains to signal user domains
Dontaudit xdm_t sending signals to all domains
Fix allow_exec* boolean descriptions
policy/global_tunables | 6 +++---
policy/modules/admin/sudo.if | 1 +
policy/modules/kernel/domain.if | 19 +++++++++++++++++++
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/services/xserver.te | 1 +
5 files changed, 25 insertions(+), 4 deletions(-)
---
diff --git a/policy/global_tunables b/policy/global_tunables
index 56af226..f85244d 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
## <desc>
## <p>
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execmem,false)
## <desc>
## <p>
-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
## </p>
## </desc>
gen_tunable(allow_execmod,false)
## <desc>
## <p>
-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execstack,false)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 464a11e..2993130 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -140,6 +140,7 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
+ userdom_signal_unpriv_users($1_sudo_t)
# for some PAM modules and for cwd
userdom_search_user_home_content($1_sudo_t)
userdom_search_admin_dir($1_sudo_t)
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 09d4b31..0d8458a 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',`
########################################
## <summary>
+## Dontaudit sending general signals to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_dontaudit_signal_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process signal;
+')
+
+########################################
+## <summary>
## Send a null signal to all domains.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 31ebaa7..a09ab47 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -102,7 +102,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
-dev_associate_sysfs(hugetlbfs_t)
+dev_associate(hugetlbfs_t)
type ibmasmfs_t;
fs_type(ibmasmfs_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9b9e013..5fbf38f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -576,6 +576,7 @@ domain_use_interactive_fds(xdm_t)
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
domain_dontaudit_ptrace_all_domains(xdm_t)
+domain_dontaudit_signal_all_domains(xdm_t)
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
More information about the scm-commits
mailing list