From 1d697ce7d29cadb5a54ed1af4a58d845058a52e1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 18 Nov 2005 18:38:37 +0000 Subject: [PATCH] add last bits from dan --- refpolicy/policy/modules/admin/su.if | 8 ++++++++ refpolicy/policy/modules/system/unconfined.if | 16 ++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index f52bae503..c29694389 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -211,6 +211,13 @@ template(`su_per_userdomain_template',` userdom_search_user_home($1,$1_su_t) ifdef(`targeted_policy',` + # allow user to suspend terminal. + # does not work in strict since the + # parent may not be able to use + # the terminal if we newrole, + # which relabels the terminal. + allow $1_su_t self:process sigstop; + corecmd_exec_bin($1_su_t) userdom_manage_all_user_files($1_su_t) userdom_manage_all_user_symlinks($1_su_t) @@ -220,6 +227,7 @@ template(`su_per_userdomain_template',` # make sediff easier. if(!secure_mode) { unconfined_domtrans($1_su_t) + unconfined_signal($1_su_t) } ',` if(secure_mode) { diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 19f21b031..66c46751f 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -185,6 +185,22 @@ interface(`unconfined_sigchld',` allow $1 unconfined_t:process sigchld; ') +######################################## +## +## Send generic signals to the unconfined domain. +## +## +## Domain allowed access. +## +# +interface(`unconfined_signal',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process signal; +') + ######################################## ## ## Do not audit attempts to read unconfined domain unnamed pipes.