trunk: 2 patches from dan

This commit is contained in:
Chris PeBenito 2007-06-13 13:54:56 +00:00
parent a74d1ad7cd
commit d139413c64
3 changed files with 78 additions and 30 deletions

View File

@ -33,7 +33,6 @@
## </param> ## </param>
# #
template(`uml_per_role_template',` template(`uml_per_role_template',`
gen_require(` gen_require(`
type uml_ro_t, uml_exec_t; type uml_ro_t, uml_exec_t;
') ')
@ -42,6 +41,7 @@ template(`uml_per_role_template',`
# #
# Declarations # Declarations
# #
type $1_uml_t; type $1_uml_t;
domain_type($1_uml_t) domain_type($1_uml_t)
role $3 types $1_uml_t; role $3 types $1_uml_t;
@ -192,34 +192,6 @@ template(`uml_per_role_template',`
optional_policy(` optional_policy(`
nis_use_ypbind($1_uml_t) nis_use_ypbind($1_uml_t)
') ')
ifdef(`TODO',`
# for X
optional_policy(`
ifelse($1, sysadm,`
',`
optional_policy(`
allow $1_uml_t xdm_xserver_tmp_t:dir search;
')
allow $1_uml_t $1_xserver_tmp_t:sock_file write;
allow $1_uml_t $1_xserver_t:unix_stream_socket connectto;
')
')
optional_policy(`
# for uml_net
domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
allow uml_net_t $1_uml_t:unix_stream_socket { read write };
allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
dontaudit uml_net_t privfd:fd use;
can_access_pty(uml_net_t, $1_uml)
dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
')
#TODO
optional_policy(`
allow $1_uml_t $1_xauth_home_t:file { getattr read };
')
')
') ')
######################################## ########################################

View File

@ -1 +1,77 @@
## <summary>Who is logged in on other machines?</summary> ## <summary>Who is logged in on other machines?</summary>
########################################
## <summary>
## Execute a domain transition to run rwho.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rwho_domtrans',`
gen_require(`
type rwho_t, rwho_exec_t;
')
domtrans_pattern($1,rwho_exec_t,rwho_t)
')
########################################
## <summary>
## Search rwho spool directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rwho_search_spool',`
gen_require(`
type rwho_spool_t;
')
allow $1 rwho_spool_t:dir search_dir_perms;
files_search_spool($1)
')
########################################
## <summary>
## Read rwho spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rwho_read_spool_files',`
gen_require(`
type rwho_spool_t;
')
read_files_pattern($1,rwho_spool_t,rwho_spool_t)
files_search_spool($1)
')
########################################
## <summary>
## Create, read, write, and delete
## rwho spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rwho_manage_spool_files',`
gen_require(`
type rwho_spool_t;
')
manage_files_pattern($1,rwho_spool_t,rwho_spool_t)
files_search_spool($1)
')

View File

@ -1,5 +1,5 @@
policy_module(rwho,1.0.0) policy_module(rwho,1.0.1)
######################################## ########################################
# #