[selinux-policy: 2856/3172] Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:14:17 UTC 2010
commit cbadf720ba59b4f705c54add75443524d71c1a4e
Merge: 02fb4a0 785ee79
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Sep 1 14:11:18 2010 -0400
Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
policy/modules/kernel/domain.if
policy/modules/services/xserver.te
Changelog | 1 +
policy/modules/admin/vbetool.te | 13 ++++++++++-
policy/modules/apps/wine.if | 4 +++
policy/modules/apps/wine.te | 13 ++++++++++-
policy/modules/kernel/domain.if | 40 ++++++++++++++++++++++++++++++----
policy/modules/kernel/domain.te | 10 +++++++-
policy/modules/kernel/kernel.if | 20 +++++++++++++++++
policy/modules/services/xserver.te | 3 +-
policy/modules/system/mount.te | 2 +-
policy/modules/system/unconfined.if | 2 +-
10 files changed, 97 insertions(+), 11 deletions(-)
---
diff --cc policy/modules/apps/wine.if
index 62e455a,0440b4c..f5a9673
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@@ -105,17 -101,14 +105,21 @@@ template(`wine_role_template',
corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
- userdom_manage_user_tmpfs_files($1_wine_t)
+ userdom_manage_tmpfs_role($2, $1_wine_t)
- domain_mmap_low($1_wine_t)
+ domain_mmap_low_type($1_wine_t)
+ tunable_policy(`mmap_low_allowed',`
+ allow $1_wine_t self:memprotect mmap_zero;
+ ')
+
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
optional_policy(`
xserver_role($1_r, $1_wine_t)
')
diff --cc policy/modules/apps/wine.te
index 6fe38a1,f9a123a..51e65e7
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@@ -1,13 -1,5 +1,13 @@@
- policy_module(wine, 1.7.1)
+ policy_module(wine, 1.7.2)
+## <desc>
+## <p>
+## Ignore wine mmap_zero errors
+## </p>
+## </desc>
+#
+gen_tunable(wine_mmap_zero_ignore, false)
+
########################################
#
# Declarations
diff --cc policy/modules/kernel/domain.te
index b9c5804,099f57f..ae62211
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@@ -4,22 -4,15 +4,30 @@@ policy_module(domain, 1.8.1
#
# Declarations
#
+## <desc>
+## <p>
+## Allow all domains to use other domains file descriptors
+## </p>
+## </desc>
+#
+gen_tunable(allow_domain_fd_use, true)
+
+## <desc>
+## <p>
+## Allow all domains to have the kernel load modules
+## </p>
+## </desc>
+#
+gen_tunable(domain_kernel_load_modules, false)
+ ## <desc>
+ ## <p>
+ ## Control the ability to mmap a low area of the address space,
+ ## as configured by /proc/sys/kernel/mmap_min_addr.
+ ## </p>
+ ## </desc>
+ gen_tunable(mmap_low_allowed, false)
+
# Mark process types as domains
attribute domain;
diff --cc policy/modules/kernel/kernel.if
index d676187,ed7667a..46e9859
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@@ -698,26 -698,6 +698,46 @@@ interface(`kernel_read_debugfs',
########################################
## <summary>
+## Read/Write information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ rw_files_pattern($1, debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+ list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
++## Manage information from the debugging filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_manage_debugfs',`
++ gen_require(`
++ type debugfs_t;
++ ')
++
++ manage_files_pattern($1, debugfs_t, debugfs_t)
++ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
++ list_dirs_pattern($1, debugfs_t, debugfs_t)
++')
++
++########################################
++## <summary>
## Mount a kernel VM filesystem.
## </summary>
## <param name="domain">
diff --cc policy/modules/system/mount.te
index 2639086,fca6947..a2f7102
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@@ -68,23 -46,9 +68,23 @@@ can_exec(mount_t, mount_exec_t
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+files_pid_filetrans(mount_t,mount_var_run_t,dir)
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+
+# In order to mount reiserfs_t
+kernel_dontaudit_getattr_core_if(mount_t)
+kernel_list_unlabeled(mount_t)
+kernel_mount_unlabeled(mount_t)
+kernel_unmount_unlabeled(mount_t)
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
- kernel_rw_debugfs(mount_t)
-kernel_dontaudit_getattr_core_if(mount_t)
++kernel_manage_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
diff --cc policy/modules/system/unconfined.if
index bdb4c7b,416e668..b3da05d
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@@ -45,16 -44,6 +45,16 @@@ interface(`unconfined_domain_noaudit',
fs_unconfined($1)
selinux_unconfined($1)
- domain_mmap_low_type($1)
++ domain_mmap_low($1)
+
+ mls_file_read_all_levels($1)
+
+ ubac_process_exempt($1)
+
+ tunable_policy(`mmap_low_allowed',`
+ allow $1 self:memprotect mmap_zero;
+ ')
+
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
More information about the scm-commits
mailing list