[selinux-policy: 2542/3172] Kernel patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:45:57 UTC 2010
commit 0417386142191a2303cd87dd89ccc5e23ef4cd5c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Mar 17 11:16:25 2010 -0400
Kernel patch from Dan Walsh.
policy/modules/kernel/kernel.if | 55 +++++++++++++++++++++++++++++++++++++++
policy/modules/kernel/kernel.te | 2 +-
2 files changed, 56 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index aad46d8..0352a19 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -144,6 +144,24 @@ interface(`kernel_sigchld',`
########################################
## <summary>
+## Send a kill signal to kernel threads.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process sending the signal.
+## </summary>
+## </param>
+#
+interface(`kernel_kill',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:process sigkill;
+')
+
+########################################
+## <summary>
## Send a generic signal to kernel threads.
## </summary>
## <param name="domain">
@@ -624,6 +642,24 @@ interface(`kernel_search_debugfs',`
########################################
## <summary>
+## Do not audit attempts to search the kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ dontaudit $1 debugfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Read information from the debugging filesystem.
## </summary>
## <param name="domain">
@@ -1994,6 +2030,25 @@ interface(`kernel_kill_unlabeled',`
########################################
## <summary>
+## Mount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain mounting the filesystem.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:filesystem mount;
+')
+
+
+########################################
+## <summary>
## Send general signals to unlabeled processes.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 400bee5..3ef6a62 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel, 1.11.2)
+policy_module(kernel, 1.11.3)
########################################
#
More information about the scm-commits
mailing list