On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:

> Here is the policy changes needed for the context contains security
> checking in PAM and cron.
This commit is contained in:
Chris PeBenito 2006-11-14 13:38:52 +00:00
parent 59f8539306
commit c6a60bb28d
5 changed files with 12 additions and 1 deletions

View File

@ -1,3 +1,4 @@
- Context contains checking for PAM and cron from James Antill.
- Add a reload target to Modules.devel and change the load - Add a reload target to Modules.devel and change the load
target to only insert modules that were changed. target to only insert modules that were changed.
- Allow semanage to read from /root on strict non-MLS for - Allow semanage to read from /root on strict non-MLS for

View File

@ -635,4 +635,5 @@ class key
class context class context
{ {
translate translate
contains
} }

View File

@ -597,4 +597,7 @@ mlsconstrain association { polmatch }
mlsconstrain context translate mlsconstrain context translate
(( h1 dom h2 ) or ( t1 == mlstranslate )); (( h1 dom h2 ) or ( t1 == mlstranslate ));
mlsconstrain context contains
( h1 dom h2 );
') dnl end enable_mls ') dnl end enable_mls

View File

@ -22,6 +22,11 @@
## <rolebase/> ## <rolebase/>
# #
template(`userdom_base_user_template',` template(`userdom_base_user_template',`
gen_require(`
class context contains;
')
attribute $1_file_type; attribute $1_file_type;
type $1_t, userdomain; type $1_t, userdomain;
@ -49,6 +54,7 @@ template(`userdom_base_user_template',`
allow $1_t self:sem create_sem_perms; allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms; allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive }; allow $1_t self:msg { send receive };
allow $1_t self:context contains;
dontaudit $1_t self:socket create; dontaudit $1_t self:socket create;
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };

View File

@ -1,5 +1,5 @@
policy_module(userdomain,2.0.2) policy_module(userdomain,2.0.3)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r; role sysadm_r, staff_r, user_r;