trunk: 5 patches from dan.
This commit is contained in:
Chris PeBenito
parent
11c944faf1
commit
da04234f32
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(alsa, 1.7.0)
|
policy_module(alsa, 1.7.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -43,6 +43,7 @@ kernel_read_system_state(alsa_t)
|
|||||||
|
|
||||||
dev_read_sound(alsa_t)
|
dev_read_sound(alsa_t)
|
||||||
dev_write_sound(alsa_t)
|
dev_write_sound(alsa_t)
|
||||||
|
dev_read_sysfs(alsa_t)
|
||||||
|
|
||||||
corecmd_exec_bin(alsa_t)
|
corecmd_exec_bin(alsa_t)
|
||||||
|
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(consoletype, 1.7.0)
|
policy_module(consoletype, 1.7.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -18,7 +18,7 @@ role system_r types consoletype_t;
|
|||||||
# Local declarations
|
# Local declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
allow consoletype_t self:capability sys_admin;
|
allow consoletype_t self:capability { sys_admin sys_tty_config };
|
||||||
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow consoletype_t self:fd use;
|
allow consoletype_t self:fd use;
|
||||||
allow consoletype_t self:fifo_file rw_fifo_file_perms;
|
allow consoletype_t self:fifo_file rw_fifo_file_perms;
|
||||||
@ -38,6 +38,7 @@ kernel_dontaudit_read_system_state(consoletype_t)
|
|||||||
fs_getattr_all_fs(consoletype_t)
|
fs_getattr_all_fs(consoletype_t)
|
||||||
fs_search_auto_mountpoints(consoletype_t)
|
fs_search_auto_mountpoints(consoletype_t)
|
||||||
fs_write_nfs_files(consoletype_t)
|
fs_write_nfs_files(consoletype_t)
|
||||||
|
fs_list_inotifyfs(consoletype_t)
|
||||||
|
|
||||||
mls_file_read_all_levels(consoletype_t)
|
mls_file_read_all_levels(consoletype_t)
|
||||||
mls_file_write_all_levels(consoletype_t)
|
mls_file_write_all_levels(consoletype_t)
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(netutils, 1.8.2)
|
policy_module(netutils, 1.8.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -128,6 +128,8 @@ domain_use_interactive_fds(ping_t)
|
|||||||
files_read_etc_files(ping_t)
|
files_read_etc_files(ping_t)
|
||||||
files_dontaudit_search_var(ping_t)
|
files_dontaudit_search_var(ping_t)
|
||||||
|
|
||||||
|
kernel_read_system_state(ping_t)
|
||||||
|
|
||||||
auth_use_nsswitch(ping_t)
|
auth_use_nsswitch(ping_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(ping_t)
|
logging_send_syslog_msg(ping_t)
|
||||||
@ -145,6 +147,10 @@ tunable_policy(`user_ping',`
|
|||||||
term_use_all_user_ptys(ping_t)
|
term_use_all_user_ptys(ping_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
munin_append_log(ping_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
pcmcia_use_cardmgr_fds(ping_t)
|
pcmcia_use_cardmgr_fds(ping_t)
|
||||||
')
|
')
|
||||||
|
|||||||
@ -18,3 +18,28 @@ interface(`vbetool_domtrans',`
|
|||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1, vbetool_exec_t, vbetool_t)
|
domtrans_pattern($1, vbetool_exec_t, vbetool_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute vbetool in the vbetool domain, and
|
||||||
|
## allow the specified role the vbetool domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## The role to be allowed the vbetool domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`vbetool_run',`
|
||||||
|
gen_require(`
|
||||||
|
type vbetool_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
vbetool_domtrans($1)
|
||||||
|
role $2 types vbetool_t;
|
||||||
|
')
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(vbetool, 1.3.0)
|
policy_module(vbetool, 1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -23,6 +23,8 @@ dev_read_raw_memory(vbetool_t)
|
|||||||
dev_rwx_zero(vbetool_t)
|
dev_rwx_zero(vbetool_t)
|
||||||
dev_read_sysfs(vbetool_t)
|
dev_read_sysfs(vbetool_t)
|
||||||
|
|
||||||
|
domain_mmap_low(vbetool_t)
|
||||||
|
|
||||||
term_use_unallocated_ttys(vbetool_t)
|
term_use_unallocated_ttys(vbetool_t)
|
||||||
|
|
||||||
miscfiles_read_localization(vbetool_t)
|
miscfiles_read_localization(vbetool_t)
|
||||||
|
|||||||
@ -45,6 +45,24 @@ interface(`vpn_run',`
|
|||||||
sysnet_run_ifconfig(vpnc_t, $2)
|
sysnet_run_ifconfig(vpnc_t, $2)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send VPN clients the kill signal.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`vpn_kill',`
|
||||||
|
gen_require(`
|
||||||
|
type vpnc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 vpnc_t:process sigkill;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send generic signals to VPN clients.
|
## Send generic signals to VPN clients.
|
||||||
@ -63,6 +81,24 @@ interface(`vpn_signal',`
|
|||||||
allow $1 vpnc_t:process signal;
|
allow $1 vpnc_t:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send signull to VPN clients.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`vpn_signull',`
|
||||||
|
gen_require(`
|
||||||
|
type vpnc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 vpnc_t:process signull;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive messages from
|
## Send and receive messages from
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(vpn, 1.10.2)
|
policy_module(vpn, 1.10.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|||||||
@ -43,6 +43,26 @@ interface(`munin_read_config',`
|
|||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Append to the munin log.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`munin_append_log',`
|
||||||
|
gen_require(`
|
||||||
|
type munin_log_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 munin_log_t:file append_file_perms;
|
||||||
|
logging_search_logs($1)
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search munin library directories.
|
## Search munin library directories.
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(munin, 1.6.1)
|
policy_module(munin, 1.6.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user