[selinux-policy] Added seutil_dontaudit_access_check_semanage_module_store interface.

Lukas Vrabec lvrabec at fedoraproject.org
Sat Nov 29 03:38:46 UTC 2014 

commit 1929f5bfe8acfe96cf58188b5f4b23b36400cf8c
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Sat Nov 29 04:38:17 2014 +0100

    Added seutil_dontaudit_access_check_semanage_module_store interface.

 policy-rawhide-base.patch |   28 +++++++++++++++++++++++-----
 1 files changed, 23 insertions(+), 5 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c0a639e..5d07d47 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -37301,7 +37301,7 @@ index d43f3b1..870bc36 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..929107c 100644
+index 3822072..8a23b62 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
 @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -37793,7 +37793,7 @@ index 3822072..929107c 100644
  ##	Execute semanage in the semanage domain, and
  ##	allow the specified role the semanage domain,
  ##	and use the caller's terminal.
-@@ -1017,11 +1382,87 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1382,105 @@ interface(`seutil_domtrans_semanage',`
  #
  interface(`seutil_run_semanage',`
  	gen_require(`
@@ -37880,10 +37880,28 @@ index 3822072..929107c 100644
 +	list_dirs_pattern($1, selinux_config_t, semanage_store_t)
 +	read_files_pattern($1, semanage_store_t, semanage_store_t)
 +	read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
++')
++
++#######################################
++## <summary>
++##	Dontaudit access check on module store
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`seutil_dontaudit_access_check_semanage_module_store',`
++	gen_require(`
++		type semanage_store_t;
++	')
++
++    dontaudit $1 semanage_store_t:dir_file_class_set audit_access;
  ')
  
  ########################################
-@@ -1043,7 +1484,11 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1502,11 @@ interface(`seutil_manage_module_store',`
  	files_search_etc($1)
  	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
  	manage_files_pattern($1, semanage_store_t, semanage_store_t)
@@ -37895,7 +37913,7 @@ index 3822072..929107c 100644
  ')
  
  #######################################
-@@ -1067,6 +1512,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1530,24 @@ interface(`seutil_get_semanage_read_lock',`
  
  #######################################
  ## <summary>
@@ -37920,7 +37938,7 @@ index 3822072..929107c 100644
  ##	Get trans lock on module store
  ## </summary>
  ## <param name="domain">
-@@ -1137,3 +1600,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')

More information about the scm-commits mailing list