[selinux-policy: 2095/3172] trunk: 5 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:05:52 UTC 2010
commit da04234f329d9c94549eb8ff435e3be4d6e6c01d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Mar 10 19:32:04 2009 +0000
trunk: 5 patches from dan.
policy/modules/admin/alsa.te | 3 +-
policy/modules/admin/consoletype.te | 5 ++-
policy/modules/admin/netutils.te | 8 ++++++-
policy/modules/admin/vbetool.if | 25 ++++++++++++++++++++++++
policy/modules/admin/vbetool.te | 4 ++-
policy/modules/admin/vpn.if | 36 +++++++++++++++++++++++++++++++++++
policy/modules/admin/vpn.te | 2 +-
policy/modules/services/munin.if | 20 +++++++++++++++++++
policy/modules/services/munin.te | 2 +-
9 files changed, 98 insertions(+), 7 deletions(-)
---
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 810ae5f..4250bbd 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
-policy_module(alsa, 1.7.0)
+policy_module(alsa, 1.7.1)
########################################
#
@@ -43,6 +43,7 @@ kernel_read_system_state(alsa_t)
dev_read_sound(alsa_t)
dev_write_sound(alsa_t)
+dev_read_sysfs(alsa_t)
corecmd_exec_bin(alsa_t)
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index d8bf97f..955532d 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -1,5 +1,5 @@
-policy_module(consoletype, 1.7.0)
+policy_module(consoletype, 1.7.1)
########################################
#
@@ -18,7 +18,7 @@ role system_r types consoletype_t;
# Local declarations
#
-allow consoletype_t self:capability sys_admin;
+allow consoletype_t self:capability { sys_admin sys_tty_config };
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow consoletype_t self:fd use;
allow consoletype_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +38,7 @@ kernel_dontaudit_read_system_state(consoletype_t)
fs_getattr_all_fs(consoletype_t)
fs_search_auto_mountpoints(consoletype_t)
fs_write_nfs_files(consoletype_t)
+fs_list_inotifyfs(consoletype_t)
mls_file_read_all_levels(consoletype_t)
mls_file_write_all_levels(consoletype_t)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 5d3068b..1c753fa 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils, 1.8.2)
+policy_module(netutils, 1.8.3)
########################################
#
@@ -128,6 +128,8 @@ domain_use_interactive_fds(ping_t)
files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
+kernel_read_system_state(ping_t)
+
auth_use_nsswitch(ping_t)
logging_send_syslog_msg(ping_t)
@@ -146,6 +148,10 @@ tunable_policy(`user_ping',`
')
optional_policy(`
+ munin_append_log(ping_t)
+')
+
+optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if
index 001e148..2dc9f53 100644
--- a/policy/modules/admin/vbetool.if
+++ b/policy/modules/admin/vbetool.if
@@ -18,3 +18,28 @@ interface(`vbetool_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, vbetool_exec_t, vbetool_t)
')
+
+########################################
+## <summary>
+## Execute vbetool in the vbetool domain, and
+## allow the specified role the vbetool domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the vbetool domain.
+## </summary>
+## </param>
+#
+interface(`vbetool_run',`
+ gen_require(`
+ type vbetool_t;
+ ')
+
+ vbetool_domtrans($1)
+ role $2 types vbetool_t;
+')
diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index a6d316e..34e0a33 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -1,5 +1,5 @@
-policy_module(vbetool, 1.3.0)
+policy_module(vbetool, 1.3.1)
########################################
#
@@ -23,6 +23,8 @@ dev_read_raw_memory(vbetool_t)
dev_rwx_zero(vbetool_t)
dev_read_sysfs(vbetool_t)
+domain_mmap_low(vbetool_t)
+
term_use_unallocated_ttys(vbetool_t)
miscfiles_read_localization(vbetool_t)
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index 8779a18..b5272fb 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -47,6 +47,24 @@ interface(`vpn_run',`
########################################
## <summary>
+## Send VPN clients the kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_kill',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:process sigkill;
+')
+
+########################################
+## <summary>
## Send generic signals to VPN clients.
## </summary>
## <param name="domain">
@@ -65,6 +83,24 @@ interface(`vpn_signal',`
########################################
## <summary>
+## Send signull to VPN clients.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_signull',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:process signull;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## Vpnc over dbus.
## </summary>
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index d3029b3..4fa636b 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
-policy_module(vpn, 1.10.2)
+policy_module(vpn, 1.10.3)
########################################
#
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 19848bb..903e39b 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -45,6 +45,26 @@ interface(`munin_read_config',`
#######################################
## <summary>
+## Append to the munin log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_append_log',`
+ gen_require(`
+ type munin_log_t;
+ ')
+
+ allow $1 munin_log_t:file append_file_perms;
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
## Search munin library directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 2a0971d..f0aab75 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
-policy_module(munin, 1.6.1)
+policy_module(munin, 1.6.2)
########################################
#
More information about the scm-commits
mailing list