On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:
> Here is the policy changes needed for the context contains security > checking in PAM and cron.
This commit is contained in:
parent
59f8539306
commit
c6a60bb28d
@ -1,3 +1,4 @@
|
|||||||
|
- Context contains checking for PAM and cron from James Antill.
|
||||||
- Add a reload target to Modules.devel and change the load
|
- Add a reload target to Modules.devel and change the load
|
||||||
target to only insert modules that were changed.
|
target to only insert modules that were changed.
|
||||||
- Allow semanage to read from /root on strict non-MLS for
|
- Allow semanage to read from /root on strict non-MLS for
|
||||||
|
@ -635,4 +635,5 @@ class key
|
|||||||
class context
|
class context
|
||||||
{
|
{
|
||||||
translate
|
translate
|
||||||
|
contains
|
||||||
}
|
}
|
||||||
|
@ -597,4 +597,7 @@ mlsconstrain association { polmatch }
|
|||||||
mlsconstrain context translate
|
mlsconstrain context translate
|
||||||
(( h1 dom h2 ) or ( t1 == mlstranslate ));
|
(( h1 dom h2 ) or ( t1 == mlstranslate ));
|
||||||
|
|
||||||
|
mlsconstrain context contains
|
||||||
|
( h1 dom h2 );
|
||||||
|
|
||||||
') dnl end enable_mls
|
') dnl end enable_mls
|
||||||
|
@ -22,6 +22,11 @@
|
|||||||
## <rolebase/>
|
## <rolebase/>
|
||||||
#
|
#
|
||||||
template(`userdom_base_user_template',`
|
template(`userdom_base_user_template',`
|
||||||
|
|
||||||
|
gen_require(`
|
||||||
|
class context contains;
|
||||||
|
')
|
||||||
|
|
||||||
attribute $1_file_type;
|
attribute $1_file_type;
|
||||||
|
|
||||||
type $1_t, userdomain;
|
type $1_t, userdomain;
|
||||||
@ -49,6 +54,7 @@ template(`userdom_base_user_template',`
|
|||||||
allow $1_t self:sem create_sem_perms;
|
allow $1_t self:sem create_sem_perms;
|
||||||
allow $1_t self:msgq create_msgq_perms;
|
allow $1_t self:msgq create_msgq_perms;
|
||||||
allow $1_t self:msg { send receive };
|
allow $1_t self:msg { send receive };
|
||||||
|
allow $1_t self:context contains;
|
||||||
dontaudit $1_t self:socket create;
|
dontaudit $1_t self:socket create;
|
||||||
|
|
||||||
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,2.0.2)
|
policy_module(userdomain,2.0.3)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
|
Loading…
Reference in New Issue
Block a user