[selinux-policy: 2282/3172] add seunshare from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:22:38 UTC 2010
commit 4be8dd10b9a273eef78e2221270826d6305b575b
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Sep 28 15:40:06 2009 -0400
add seunshare from dan.
Changelog | 1 +
policy/modules/apps/seunshare.fc | 1 +
policy/modules/apps/seunshare.if | 72 ++++++++++++++++++++++++++++++++++++++
policy/modules/apps/seunshare.te | 35 ++++++++++++++++++
4 files changed, 109 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 8bb1181..0918a39 100644
--- a/Changelog
+++ b/Changelog
@@ -18,6 +18,7 @@
modemmanager(Dan Walsh)
nslcd (Dan Walsh)
rtkit (Dan Walsh)
+ seunshare (Dan Walsh)
shorewall (Dan Walsh)
xscreensaver (Corentin Labbe)
diff --git a/policy/modules/apps/seunshare.fc b/policy/modules/apps/seunshare.fc
new file mode 100644
index 0000000..30a4b9f
--- /dev/null
+++ b/policy/modules/apps/seunshare.fc
@@ -0,0 +1 @@
+/usr/sbin/seunshare -- gen_context(system_u:object_r:seunshare_exec_t,s0)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
new file mode 100644
index 0000000..dbdf448
--- /dev/null
+++ b/policy/modules/apps/seunshare.if
@@ -0,0 +1,72 @@
+## <summary>Filesystem namespacing/polyinstantiation application.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run seunshare.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seunshare_domtrans',`
+ gen_require(`
+ type seunshare_t, seunshare_exec_t;
+ ')
+
+ domtrans_pattern($1, seunshare_exec_t, seunshare_t)
+')
+
+########################################
+## <summary>
+## Execute seunshare in the seunshare domain, and
+## allow the specified role the seunshare domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`seunshare_run',`
+ gen_require(`
+ type seunshare_t;
+ ')
+
+ seunshare_domtrans($1)
+ role $2 types seunshare_t;
+')
+
+########################################
+## <summary>
+## Role access for seunshare
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`seunshare_role',`
+ gen_require(`
+ type seunshare_t;
+ ')
+
+ role $2 types seunshare_t;
+
+ seunshare_domtrans($1)
+
+ ps_process_pattern($2, seunshare_t)
+ allow $2 seunshare_t:process signal;
+')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
new file mode 100644
index 0000000..dcec4bf
--- /dev/null
+++ b/policy/modules/apps/seunshare.te
@@ -0,0 +1,35 @@
+
+policy_module(seunshare, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type seunshare_t;
+type seunshare_exec_t;
+application_domain(seunshare_t, seunshare_exec_t)
+role system_r types seunshare_t;
+
+########################################
+#
+# seunshare local policy
+#
+
+allow seunshare_t self:capability setpcap;
+allow seunshare_t self:process { setexec signal getcap setcap };
+
+allow seunshare_t self:fifo_file rw_file_perms;
+allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(seunshare_t)
+corecmd_exec_bin(seunshare_t)
+
+files_read_etc_files(seunshare_t)
+files_mounton_all_poly_members(seunshare_t)
+
+auth_use_nsswitch(seunshare_t)
+
+miscfiles_read_localization(seunshare_t)
+
+userdom_use_user_terminals(seunshare_t)
More information about the scm-commits
mailing list