add key support

2006-06-21 21:02:49 +00:00 · 2006-06-21 21:02:49 +00:00 · fe3a1eb846
commit fe3a1eb846
parent 2dd1d307f6
7 changed files with 59 additions and 1 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -1,3 +1,4 @@
 - Add key support from Michael LeMay.
 - Add ftpdctl domain to ftp, from Paul Howarth.
 - Fix build system to not move type declarations out of optionals.
 - Add gcc-config domain to portage.
--- a/refpolicy/policy/flask/access_vectors
+++ b/refpolicy/policy/flask/access_vectors
@ -252,6 +252,7 @@ class process
 	execmem
 	execstack
 	execheap
 	setkeycreate
 }
@ -617,3 +618,14 @@ class packet
 	recv
 	relabelto
 }
 class key
 {
 	view
 	read
 	write
 	search
 	link
 	setattr
 	create
 }
--- a/refpolicy/policy/flask/security_classes
+++ b/refpolicy/policy/flask/security_classes
@ -90,4 +90,7 @@ class appletalk_socket
 class packet
 # Kernel access key retention
 class key
 # FLASK
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@ -80,7 +80,7 @@ optional_policy(`
 #
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms };
+allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
 allow xdm_t self:fifo_file rw_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
@ -214,6 +214,7 @@ sysnet_read_config(xdm_t)
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
 userdom_create_all_users_keys(xdm_t)
 # for .dmrc
 userdom_read_unpriv_users_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@ -169,6 +169,7 @@ userdom_signal_all_users(local_login_t)
 userdom_search_all_users_home_content(local_login_t)
 userdom_use_unpriv_users_fds(local_login_t)
 userdom_sigchld_all_users(local_login_t)
 userdom_create_all_users_keys(local_login_t)
 # Search for mail spool file.
 mta_getattr_spool(local_login_t)
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@ -358,6 +358,24 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
 	dontaudit $1 unconfined_t:tcp_socket { read write };
 ')
 ########################################
 ## <summary>
 ##	Create keys for the unconfined domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`unconfined_create_keys',`
 	gen_require(`
 		type unconfined_t;
 	')
 	allow $1 unconfined_t:key create;
 ')
 ########################################
 ## <summary>
 ##	Send messages to the unconfined domain over dbus.
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -4730,6 +4730,28 @@ interface(`userdom_sigchld_all_users',`
 	allow $1 userdomain:process sigchld;
 ')
 ########################################
 ## <summary>
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`userdom_create_all_users_keys',`
 	ifdef(`strict_policy',`
 		gen_require(`
 			attribute userdomain;
 		')
 		allow $1 userdomain:key create;
 	',`
 		unconfined_create_keys($1)
 	')
 ')
 ########################################
 ## <summary>
 ##	Send a dbus message to all user domains.