[selinux-policy: 982/3172] add last bits from dan
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:29:51 UTC 2010
commit 1d697ce7d29cadb5a54ed1af4a58d845058a52e1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Nov 18 18:38:37 2005 +0000
add last bits from dan
refpolicy/policy/modules/admin/su.if | 8 ++++++++
refpolicy/policy/modules/system/unconfined.if | 16 ++++++++++++++++
2 files changed, 24 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index f52bae5..c296943 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -211,6 +211,13 @@ template(`su_per_userdomain_template',`
userdom_search_user_home($1,$1_su_t)
ifdef(`targeted_policy',`
+ # allow user to suspend terminal.
+ # does not work in strict since the
+ # parent may not be able to use
+ # the terminal if we newrole,
+ # which relabels the terminal.
+ allow $1_su_t self:process sigstop;
+
corecmd_exec_bin($1_su_t)
userdom_manage_all_user_files($1_su_t)
userdom_manage_all_user_symlinks($1_su_t)
@@ -220,6 +227,7 @@ template(`su_per_userdomain_template',`
# make sediff easier.
if(!secure_mode) {
unconfined_domtrans($1_su_t)
+ unconfined_signal($1_su_t)
}
',`
if(secure_mode) {
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 19f21b0..66c4675 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -187,6 +187,22 @@ interface(`unconfined_sigchld',`
########################################
## <summary>
+## Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`unconfined_signal',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signal;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
More information about the scm-commits
mailing list