Allow sudo domains to manage /var/db/sudo

Allow init_t and initrc_t to dbus chat
Allow pulseaudio to read /usr/share/alsa/alsa.conf
This commit is contained in:
Dan Walsh 2010-09-08 17:27:24 -04:00
parent a75a591e52
commit b36c20b2a9
5 changed files with 16 additions and 0 deletions

View File

@ -1,2 +1,4 @@
/usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0) /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)

View File

@ -32,6 +32,7 @@ template(`sudo_role_template',`
gen_require(` gen_require(`
type sudo_exec_t; type sudo_exec_t;
type sudo_db_t;
attribute sudodomain; attribute sudodomain;
') ')
@ -47,6 +48,8 @@ template(`sudo_role_template',`
ubac_constrained($1_sudo_t) ubac_constrained($1_sudo_t)
role $2 types $1_sudo_t; role $2 types $1_sudo_t;
manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
############################## ##############################
# #
# Local Policy # Local Policy
@ -113,6 +116,7 @@ template(`sudo_role_template',`
term_relabel_all_ttys($1_sudo_t) term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t) term_relabel_all_ptys($1_sudo_t)
term_getattr_pty_fs($1_sudo_t)
auth_run_chk_passwd($1_sudo_t, $2) auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory # sudo stores a token in the pam_pid directory

View File

@ -7,3 +7,7 @@ attribute sudodomain;
type sudo_exec_t; type sudo_exec_t;
application_executable_file(sudo_exec_t) application_executable_file(sudo_exec_t)
type sudo_db_t;
files_type(sudo_db_t)

View File

@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t) miscfiles_read_localization(pulseaudio_t)
optional_policy(`
alsa_read_rw_config(pulseaudio_t)
')
optional_policy(` optional_policy(`
bluetooth_stream_connect(pulseaudio_t) bluetooth_stream_connect(pulseaudio_t)
') ')

View File

@ -782,6 +782,8 @@ optional_policy(`
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
dbus_manage_lib_files(initrc_t) dbus_manage_lib_files(initrc_t)
init_dbus_chat(initrc_t)
optional_policy(` optional_policy(`
consolekit_dbus_chat(initrc_t) consolekit_dbus_chat(initrc_t)
') ')