[selinux-policy: 2095/3172] trunk: 5 patches from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:05:52 UTC 2010 

commit da04234f329d9c94549eb8ff435e3be4d6e6c01d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Mar 10 19:32:04 2009 +0000

    trunk: 5 patches from dan.

 policy/modules/admin/alsa.te        |    3 +-
 policy/modules/admin/consoletype.te |    5 ++-
 policy/modules/admin/netutils.te    |    8 ++++++-
 policy/modules/admin/vbetool.if     |   25 ++++++++++++++++++++++++
 policy/modules/admin/vbetool.te     |    4 ++-
 policy/modules/admin/vpn.if         |   36 +++++++++++++++++++++++++++++++++++
 policy/modules/admin/vpn.te         |    2 +-
 policy/modules/services/munin.if    |   20 +++++++++++++++++++
 policy/modules/services/munin.te    |    2 +-
 9 files changed, 98 insertions(+), 7 deletions(-)
---
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 810ae5f..4250bbd 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
 
-policy_module(alsa, 1.7.0)
+policy_module(alsa, 1.7.1)
 
 ########################################
 #
@@ -43,6 +43,7 @@ kernel_read_system_state(alsa_t)
 
 dev_read_sound(alsa_t)
 dev_write_sound(alsa_t)
+dev_read_sysfs(alsa_t)
 
 corecmd_exec_bin(alsa_t)
 
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index d8bf97f..955532d 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -1,5 +1,5 @@
 
-policy_module(consoletype, 1.7.0)
+policy_module(consoletype, 1.7.1)
 
 ########################################
 #
@@ -18,7 +18,7 @@ role system_r types consoletype_t;
 # Local declarations
 #
 
-allow consoletype_t self:capability sys_admin;
+allow consoletype_t self:capability { sys_admin sys_tty_config };
 allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow consoletype_t self:fd use;
 allow consoletype_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +38,7 @@ kernel_dontaudit_read_system_state(consoletype_t)
 fs_getattr_all_fs(consoletype_t)
 fs_search_auto_mountpoints(consoletype_t)
 fs_write_nfs_files(consoletype_t)
+fs_list_inotifyfs(consoletype_t)
 
 mls_file_read_all_levels(consoletype_t)
 mls_file_write_all_levels(consoletype_t)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 5d3068b..1c753fa 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
 
-policy_module(netutils, 1.8.2)
+policy_module(netutils, 1.8.3)
 
 ########################################
 #
@@ -128,6 +128,8 @@ domain_use_interactive_fds(ping_t)
 files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
+kernel_read_system_state(ping_t)
+
 auth_use_nsswitch(ping_t)
 
 logging_send_syslog_msg(ping_t)
@@ -146,6 +148,10 @@ tunable_policy(`user_ping',`
 ')
 
 optional_policy(`
+	munin_append_log(ping_t)
+')
+
+optional_policy(`
 	pcmcia_use_cardmgr_fds(ping_t)
 ')
 
diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if
index 001e148..2dc9f53 100644
--- a/policy/modules/admin/vbetool.if
+++ b/policy/modules/admin/vbetool.if
@@ -18,3 +18,28 @@ interface(`vbetool_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, vbetool_exec_t, vbetool_t)
 ')
+
+########################################
+## <summary>
+##	Execute vbetool in the vbetool domain, and
+##	allow the specified role the vbetool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the vbetool domain.
+##	</summary>
+## </param>
+#
+interface(`vbetool_run',`
+	gen_require(`
+		type vbetool_t;
+	')
+
+	vbetool_domtrans($1)
+	role $2 types vbetool_t;
+')
diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index a6d316e..34e0a33 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -1,5 +1,5 @@
 
-policy_module(vbetool, 1.3.0)
+policy_module(vbetool, 1.3.1)
 
 ########################################
 #
@@ -23,6 +23,8 @@ dev_read_raw_memory(vbetool_t)
 dev_rwx_zero(vbetool_t)
 dev_read_sysfs(vbetool_t)
 
+domain_mmap_low(vbetool_t)
+
 term_use_unallocated_ttys(vbetool_t)
 
 miscfiles_read_localization(vbetool_t)
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index 8779a18..b5272fb 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -47,6 +47,24 @@ interface(`vpn_run',`
 
 ########################################
 ## <summary>
+##	Send VPN clients the kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vpn_kill',`
+	gen_require(`
+		type vpnc_t;
+	')
+
+	allow $1 vpnc_t:process sigkill;
+')
+
+########################################
+## <summary>
 ##	Send generic signals to VPN clients.
 ## </summary>
 ## <param name="domain">
@@ -65,6 +83,24 @@ interface(`vpn_signal',`
 
 ########################################
 ## <summary>
+##	Send signull to VPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vpn_signull',`
+	gen_require(`
+		type vpnc_t;
+	')
+
+	allow $1 vpnc_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	Vpnc over dbus.
 ## </summary>
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index d3029b3..4fa636b 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
 
-policy_module(vpn, 1.10.2)
+policy_module(vpn, 1.10.3)
 
 ########################################
 #
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 19848bb..903e39b 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -45,6 +45,26 @@ interface(`munin_read_config',`
 
 #######################################
 ## <summary>
+##	Append to the munin log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_append_log',`
+	gen_require(`
+		type munin_log_t;
+	')
+
+	allow $1 munin_log_t:file append_file_perms;
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
 ##	Search munin library directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 2a0971d..f0aab75 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
 
-policy_module(munin, 1.6.1)
+policy_module(munin, 1.6.2)
 
 ########################################
 #

More information about the scm-commits mailing list