trunk: 6 patches from dan.
This commit is contained in:
Chris PeBenito
parent
8f800d48df
commit
42d567c3f4
@ -12,7 +12,9 @@
|
|||||||
- Remove node definitions and change node usage to generic nodes.
|
- Remove node definitions and change node usage to generic nodes.
|
||||||
- Add kernel_service access vectors, from Stephen Smalley.
|
- Add kernel_service access vectors, from Stephen Smalley.
|
||||||
- Added modules:
|
- Added modules:
|
||||||
|
gues (Dan Walsh)
|
||||||
logadm (Dan Walsh)
|
logadm (Dan Walsh)
|
||||||
|
xguest (Dan Walsh)
|
||||||
zosremote (Dan Walsh)
|
zosremote (Dan Walsh)
|
||||||
|
|
||||||
* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
|
* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
|
||||||
|
|||||||
6
config/appconfig-mcs/guest_u_default_contexts
Normal file
6
config/appconfig-mcs/guest_u_default_contexts
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
guest_r:guest_t:s0 guest_r:guest_t:s0
|
||||||
|
system_r:crond_t:s0 guest_r:guest_t:s0
|
||||||
|
system_r:initrc_su_t:s0 guest_r:guest_t:s0
|
||||||
|
system_r:local_login_t:s0 guest_r:guest_t:s0
|
||||||
|
system_r:remote_login_t:s0 guest_r:guest_t:s0
|
||||||
|
system_r:sshd_t:s0 guest_r:guest_t:s0
|
||||||
7
config/appconfig-mcs/xguest_u_default_contexts
Normal file
7
config/appconfig-mcs/xguest_u_default_contexts
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
system_r:crond_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:local_login_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:remote_login_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:sshd_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:xdm_t:s0 xguest_r:xguest_t:s0
|
||||||
|
xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
|
||||||
5
config/appconfig-mls/guest_u_default_contexts
Normal file
5
config/appconfig-mls/guest_u_default_contexts
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
guest_r:guest_t:s0 guest_r:guest_t:s0
|
||||||
|
system_r:crond_t:s0 guest_r:guest_t:s0
|
||||||
|
system_r:local_login_t:s0 guest_r:guest_t:s0
|
||||||
|
system_r:remote_login_t:s0 guest_r:guest_t:s0
|
||||||
|
system_r:sshd_t:s0 guest_r:guest_t:s0
|
||||||
7
config/appconfig-mls/xguest_u_default_contexts
Normal file
7
config/appconfig-mls/xguest_u_default_contexts
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
system_r:crond_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:local_login_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:remote_login_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:sshd_t:s0 xguest_r:xguest_t:s0
|
||||||
|
system_r:xdm_t:s0 xguest_r:xguest_t:s0
|
||||||
|
xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
|
||||||
7
config/appconfig-standard/guest_u_default_contexts
Normal file
7
config/appconfig-standard/guest_u_default_contexts
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
guest_r:guest_t guest_r:guest_t
|
||||||
|
system_r:crond_t guest_r:guest_t
|
||||||
|
system_r:initrc_su_t guest_r:guest_t
|
||||||
|
system_r:local_login_t guest_r:guest_t
|
||||||
|
system_r:remote_login_t guest_r:guest_t
|
||||||
|
system_r:sshd_t guest_r:guest_t
|
||||||
|
|
||||||
7
config/appconfig-standard/xguest_u_default_contexts
Normal file
7
config/appconfig-standard/xguest_u_default_contexts
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
system_r:crond_t xguest_r:xguest_t
|
||||||
|
system_r:initrc_su_t xguest_r:xguest_t
|
||||||
|
system_r:local_login_t xguest_r:xguest_t
|
||||||
|
system_r:remote_login_t xguest_r:xguest_t
|
||||||
|
system_r:sshd_t xguest_r:xguest_t
|
||||||
|
system_r:xdm_t xguest_r:xguest_t
|
||||||
|
xguest_r:xguest_t xguest_r:xguest_t
|
||||||
1
policy/modules/roles/guest.fc
Normal file
1
policy/modules/roles/guest.fc
Normal file
@ -0,0 +1 @@
|
|||||||
|
# file contexts handled by userdomain and genhomedircon
|
||||||
50
policy/modules/roles/guest.if
Normal file
50
policy/modules/roles/guest.if
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
## <summary>Least privledge terminal user role</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Change to the guest role.
|
||||||
|
## </summary>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`guest_role_change',`
|
||||||
|
gen_require(`
|
||||||
|
role guest_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 guest_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Change from the guest role.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Change from the guest role to
|
||||||
|
## the specified role.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is an interface to support third party modules
|
||||||
|
## and its use is not allowed in upstream reference
|
||||||
|
## policy.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`guest_role_change_to',`
|
||||||
|
gen_require(`
|
||||||
|
role guest_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow guest_r $1;
|
||||||
|
')
|
||||||
22
policy/modules/roles/guest.te
Normal file
22
policy/modules/roles/guest.te
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
|
||||||
|
policy_module(guest, 1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
role xguest_r;
|
||||||
|
|
||||||
|
userdom_restricted_user_template(guest)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
java_role(guest_r, guest_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
#gen_user(guest_u,, guest_r, s0, s0)
|
||||||
1
policy/modules/roles/xguest.fc
Normal file
1
policy/modules/roles/xguest.fc
Normal file
@ -0,0 +1 @@
|
|||||||
|
# file contexts handled by userdomain and genhomedircon
|
||||||
50
policy/modules/roles/xguest.if
Normal file
50
policy/modules/roles/xguest.if
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
## <summary>Least privledge xwindows user role</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Change to the xguest role.
|
||||||
|
## </summary>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`xguest_role_change',`
|
||||||
|
gen_require(`
|
||||||
|
role xguest_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 xguest_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Change from the xguest role.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Change from the xguest role to
|
||||||
|
## the specified role.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is an interface to support third party modules
|
||||||
|
## and its use is not allowed in upstream reference
|
||||||
|
## policy.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`xguest_role_change_to',`
|
||||||
|
gen_require(`
|
||||||
|
role xguest_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow xguest_r $1;
|
||||||
|
')
|
||||||
83
policy/modules/roles/xguest.te
Normal file
83
policy/modules/roles/xguest.te
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
|
||||||
|
policy_module(xguest, 1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow xguest users to mount removable media
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(xguest_mount_media, true)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow xguest to configure Network Manager
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(xguest_connect_network, true)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow xguest to use blue tooth devices
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(xguest_use_bluetooth, true)
|
||||||
|
|
||||||
|
role xguest_r;
|
||||||
|
|
||||||
|
userdom_restricted_xwindows_user_template(xguest)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
# Allow mounting of file systems
|
||||||
|
optional_policy(`
|
||||||
|
tunable_policy(`xguest_mount_media',`
|
||||||
|
kernel_read_fs_sysctls(xguest_t)
|
||||||
|
|
||||||
|
files_dontaudit_getattr_boot_dirs(xguest_t)
|
||||||
|
files_search_mnt(xguest_t)
|
||||||
|
|
||||||
|
fs_manage_noxattr_fs_files(xguest_t)
|
||||||
|
fs_manage_noxattr_fs_dirs(xguest_t)
|
||||||
|
fs_manage_noxattr_fs_dirs(xguest_t)
|
||||||
|
fs_getattr_noxattr_fs(xguest_t)
|
||||||
|
fs_read_noxattr_fs_symlinks(xguest_t)
|
||||||
|
|
||||||
|
auth_list_pam_console_data(xguest_t)
|
||||||
|
|
||||||
|
init_read_utmp(xguest_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tunable_policy(`xguest_use_bluetooth',`
|
||||||
|
bluetooth_dbus_chat(xguest_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
hal_dbus_chat(xguest_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
java_role(xguest_r, xguest_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mozilla_role(xguest_r, xguest_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tunable_policy(`xguest_connect_network',`
|
||||||
|
networkmanager_dbus_chat(xguest_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
#gen_user(xguest_u,, xguest_r, s0, s0)
|
||||||
Loading…
Reference in New Issue
Block a user