[selinux-policy: 2883/3172] Allow sudo domains to manage /var/db/sudo Allow init_t and initrc_t to dbus chat Allow pulseaudio to
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:16:43 UTC 2010
commit b36c20b2a9878748a948913f21f3829b6e394ea0
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Sep 8 17:27:24 2010 -0400
Allow sudo domains to manage /var/db/sudo
Allow init_t and initrc_t to dbus chat
Allow pulseaudio to read /usr/share/alsa/alsa.conf
policy/modules/admin/sudo.fc | 2 ++
policy/modules/admin/sudo.if | 4 ++++
policy/modules/admin/sudo.te | 4 ++++
policy/modules/apps/pulseaudio.te | 4 ++++
policy/modules/system/init.te | 2 ++
5 files changed, 16 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02..2b59ed0 100644
--- a/policy/modules/admin/sudo.fc
+++ b/policy/modules/admin/sudo.fc
@@ -1,2 +1,4 @@
/usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index e753ac9..cf1ca30 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
gen_require(`
type sudo_exec_t;
+ type sudo_db_t;
attribute sudodomain;
')
@@ -47,6 +48,8 @@ template(`sudo_role_template',`
ubac_constrained($1_sudo_t)
role $2 types $1_sudo_t;
+ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+
##############################
#
# Local Policy
@@ -113,6 +116,7 @@ template(`sudo_role_template',`
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
+ term_getattr_pty_fs($1_sudo_t)
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index c368bdc..c927b85 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,7 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
+
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 88fc6f6..db96581 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -96,6 +96,10 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
optional_policy(`
+ alsa_read_rw_config(pulseaudio_t)
+')
+
+optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a80b4c7..477612e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -782,6 +782,8 @@ optional_policy(`
dbus_read_config(initrc_t)
dbus_manage_lib_files(initrc_t)
+ init_dbus_chat(initrc_t)
+
optional_policy(`
consolekit_dbus_chat(initrc_t)
')
More information about the scm-commits
mailing list