[selinux-policy: 1638/3172] On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote: > Here is the policy changes needed for the c
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:26:41 UTC 2010
commit c6a60bb28d9818adbf693d05938786e0d3629d0b
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Nov 14 13:38:52 2006 +0000
On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:
> Here is the policy changes needed for the context contains security
> checking in PAM and cron.
Changelog | 1 +
policy/flask/access_vectors | 1 +
policy/mls | 3 +++
policy/modules/system/userdomain.if | 6 ++++++
policy/modules/system/userdomain.te | 2 +-
5 files changed, 12 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 87fd0ff..1bdd76e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Context contains checking for PAM and cron from James Antill.
- Add a reload target to Modules.devel and change the load
target to only insert modules that were changed.
- Allow semanage to read from /root on strict non-MLS for
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 641dcd2..4848d25 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -635,4 +635,5 @@ class key
class context
{
translate
+ contains
}
diff --git a/policy/mls b/policy/mls
index 8ab1332..bdca162 100644
--- a/policy/mls
+++ b/policy/mls
@@ -597,4 +597,7 @@ mlsconstrain association { polmatch }
mlsconstrain context translate
(( h1 dom h2 ) or ( t1 == mlstranslate ));
+mlsconstrain context contains
+ ( h1 dom h2 );
+
') dnl end enable_mls
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0532edc..c47a891 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -22,6 +22,11 @@
## <rolebase/>
#
template(`userdom_base_user_template',`
+
+ gen_require(`
+ class context contains;
+ ')
+
attribute $1_file_type;
type $1_t, userdomain;
@@ -49,6 +54,7 @@ template(`userdom_base_user_template',`
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
+ allow $1_t self:context contains;
dontaudit $1_t self:socket create;
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 7999ffe..865fd42 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,2.0.2)
+policy_module(userdomain,2.0.3)
gen_require(`
role sysadm_r, staff_r, user_r;
More information about the scm-commits
mailing list