[selinux-policy] Added seutil_dontaudit_access_check_semanage_module_store interface.
Lukas Vrabec
lvrabec at fedoraproject.org
Sat Nov 29 03:38:46 UTC 2014
commit 1929f5bfe8acfe96cf58188b5f4b23b36400cf8c
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Sat Nov 29 04:38:17 2014 +0100
Added seutil_dontaudit_access_check_semanage_module_store interface.
policy-rawhide-base.patch | 28 +++++++++++++++++++++++-----
1 files changed, 23 insertions(+), 5 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c0a639e..5d07d47 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -37301,7 +37301,7 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..929107c 100644
+index 3822072..8a23b62 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -37793,7 +37793,7 @@ index 3822072..929107c 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1382,87 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1382,105 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -37880,10 +37880,28 @@ index 3822072..929107c 100644
+ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ read_files_pattern($1, semanage_store_t, semanage_store_t)
+ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
++')
++
++#######################################
++## <summary>
++## Dontaudit access check on module store
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_dontaudit_access_check_semanage_module_store',`
++ gen_require(`
++ type semanage_store_t;
++ ')
++
++ dontaudit $1 semanage_store_t:dir_file_class_set audit_access;
')
########################################
-@@ -1043,7 +1484,11 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1502,11 @@ interface(`seutil_manage_module_store',`
files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
@@ -37895,7 +37913,7 @@ index 3822072..929107c 100644
')
#######################################
-@@ -1067,6 +1512,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1530,24 @@ interface(`seutil_get_semanage_read_lock',`
#######################################
## <summary>
@@ -37920,7 +37938,7 @@ index 3822072..929107c 100644
## Get trans lock on module store
## </summary>
## <param name="domain">
-@@ -1137,3 +1600,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
More information about the scm-commits
mailing list