[selinux-policy: 2282/3172] add seunshare from dan.

Thu Oct 7 22:22:38 UTC 2010

commit 4be8dd10b9a273eef78e2221270826d6305b575b
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Sep 28 15:40:06 2009 -0400

    add seunshare from dan.

 Changelog                        |    1 +
 policy/modules/apps/seunshare.fc |    1 +
 policy/modules/apps/seunshare.if |   72 ++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/seunshare.te |   35 ++++++++++++++++++
 4 files changed, 109 insertions(+), 0 deletions(-)
---

diff --git a/Changelog b/Changelog
index 8bb1181..0918a39 100644
--- a/Changelog
+++ b/Changelog
@@ -18,6 +18,7 @@
 	modemmanager(Dan Walsh)
 	nslcd (Dan Walsh)
 	rtkit (Dan Walsh)
+	seunshare (Dan Walsh)
 	shorewall (Dan Walsh)
 	xscreensaver (Corentin Labbe)
 
diff --git a/policy/modules/apps/seunshare.fc b/policy/modules/apps/seunshare.fc
new file mode 100644
index 0000000..30a4b9f
--- /dev/null
+++ b/policy/modules/apps/seunshare.fc
@@ -0,0 +1 @@
+/usr/sbin/seunshare	--	gen_context(system_u:object_r:seunshare_exec_t,s0)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
new file mode 100644
index 0000000..dbdf448
--- /dev/null
+++ b/policy/modules/apps/seunshare.if
@@ -0,0 +1,72 @@
+## <summary>Filesystem namespacing/polyinstantiation application.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run seunshare.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seunshare_domtrans',`
+	gen_require(`
+		type seunshare_t, seunshare_exec_t;
+	')
+
+	domtrans_pattern($1, seunshare_exec_t, seunshare_t)
+')
+
+########################################
+## <summary>
+##	Execute seunshare in the seunshare domain, and
+##	allow the specified role the seunshare domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`seunshare_run',`
+	gen_require(`
+		type seunshare_t;
+	')
+
+	seunshare_domtrans($1)
+	role $2 types seunshare_t;
+')
+
+########################################
+## <summary>
+##	Role access for seunshare
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`seunshare_role',`
+	gen_require(`
+		type seunshare_t;
+	')
+
+	role $2 types seunshare_t;
+
+	seunshare_domtrans($1)
+
+	ps_process_pattern($2, seunshare_t)
+	allow $2 seunshare_t:process signal;
+')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
new file mode 100644
index 0000000..dcec4bf
--- /dev/null
+++ b/policy/modules/apps/seunshare.te
@@ -0,0 +1,35 @@
+
+policy_module(seunshare, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type seunshare_t;
+type seunshare_exec_t;
+application_domain(seunshare_t, seunshare_exec_t)
+role system_r types seunshare_t;
+
+########################################
+#
+# seunshare local policy
+#
+
+allow seunshare_t self:capability setpcap;
+allow seunshare_t self:process { setexec signal getcap setcap };
+
+allow seunshare_t self:fifo_file rw_file_perms;
+allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(seunshare_t)
+corecmd_exec_bin(seunshare_t)
+
+files_read_etc_files(seunshare_t)
+files_mounton_all_poly_members(seunshare_t)
+
+auth_use_nsswitch(seunshare_t)
+
+miscfiles_read_localization(seunshare_t)
+
+userdom_use_user_terminals(seunshare_t)
