Allow hugetlbfs_t to be on device_t file system

Allow sudo domains to signal user domains Dontaudit xdm_t sending signals to all domains Fix allow_exec* boolean descriptions
2010-09-10 10:10:34 -04:00 · 2010-09-10 10:10:34 -04:00 · 1a82786cc8
commit 1a82786cc8
parent e81afdf5c9
5 changed files with 25 additions and 4 deletions
--- a/policy/global_tunables
+++ b/policy/global_tunables
@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)

 ## <desc>
 ## <p>
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
 ## </p>
 ## </desc>
 gen_tunable(allow_execmem,false)

 ## <desc>
 ## <p>
-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
 ## </p>
 ## </desc>
 gen_tunable(allow_execmod,false)

 ## <desc>
 ## <p>
-## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
 ## </p>
 ## </desc>
 gen_tunable(allow_execstack,false)
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@ -140,6 +140,7 @@ template(`sudo_role_template',`
 	userdom_manage_user_tmp_files($1_sudo_t)
 	userdom_manage_user_tmp_symlinks($1_sudo_t)
 	userdom_use_user_terminals($1_sudo_t)
+	userdom_signal_unpriv_users($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_search_user_home_content($1_sudo_t)
 	userdom_search_admin_dir($1_sudo_t)
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@ -472,6 +472,25 @@ interface(`domain_signal_all_domains',`
 	allow $1 domain:process signal;
 ')

+########################################
+## <summary>
+##	Dontaudit sending general signals to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_dontaudit_signal_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Send a null signal to all domains.
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@ -102,7 +102,7 @@ type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
-dev_associate_sysfs(hugetlbfs_t)
+dev_associate(hugetlbfs_t)

 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@ -576,6 +576,7 @@ domain_use_interactive_fds(xdm_t)
 # Do not audit denied probes of /proc.
 domain_dontaudit_read_all_domains_state(xdm_t)
 domain_dontaudit_ptrace_all_domains(xdm_t)
+domain_dontaudit_signal_all_domains(xdm_t)

 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)