[selinux-policy: 1638/3172] On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote: > Here is the policy changes needed for the c

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:26:41 UTC 2010 

commit c6a60bb28d9818adbf693d05938786e0d3629d0b
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Nov 14 13:38:52 2006 +0000

    On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:
    > Here is the policy changes needed for the context contains security
    > checking in PAM and cron.

 Changelog                           |    1 +
 policy/flask/access_vectors         |    1 +
 policy/mls                          |    3 +++
 policy/modules/system/userdomain.if |    6 ++++++
 policy/modules/system/userdomain.te |    2 +-
 5 files changed, 12 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 87fd0ff..1bdd76e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Context contains checking for PAM and cron from James Antill.
 - Add a reload target to Modules.devel and change the load
   target to only insert modules that were changed.
 - Allow semanage to read from /root on strict non-MLS for
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 641dcd2..4848d25 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -635,4 +635,5 @@ class key
 class context
 {
 	translate
+	contains
 }
diff --git a/policy/mls b/policy/mls
index 8ab1332..bdca162 100644
--- a/policy/mls
+++ b/policy/mls
@@ -597,4 +597,7 @@ mlsconstrain association { polmatch }
 mlsconstrain context translate
 	(( h1 dom h2 ) or ( t1 == mlstranslate ));
 
+mlsconstrain context contains
+	( h1 dom h2 );
+
 ') dnl end enable_mls
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0532edc..c47a891 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -22,6 +22,11 @@
 ## <rolebase/>
 #
 template(`userdom_base_user_template',`
+
+	gen_require(`
+		class context contains;
+	')
+
 	attribute $1_file_type;
 
 	type $1_t, userdomain;
@@ -49,6 +54,7 @@ template(`userdom_base_user_template',`
 	allow $1_t self:sem create_sem_perms;
 	allow $1_t self:msgq create_msgq_perms;
 	allow $1_t self:msg { send receive };
+	allow $1_t self:context contains;
 	dontaudit $1_t self:socket create;
 
 	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 7999ffe..865fd42 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,2.0.2)
+policy_module(userdomain,2.0.3)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;

More information about the scm-commits mailing list