From 64daa85393e97875ad924a72df38f92ecb600666 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 15 Jan 2009 15:07:37 +0000 Subject: [PATCH] trunk: add sysadm_entry_spec_domtrans_to() interface from clip. --- policy/modules/roles/sysadm.if | 35 ++++++++++++++++++++++++++++++++++ policy/modules/roles/sysadm.te | 2 +- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if index 42be030fa..ff9243078 100644 --- a/policy/modules/roles/sysadm.if +++ b/policy/modules/roles/sysadm.if @@ -114,6 +114,41 @@ interface(`sysadm_entry_spec_domtrans',` allow sysadm_t $1:process sigchld; ') +######################################## +## +## Allow sysadm to execute all entrypoint files in +## a specified domain. This is an explicit transition, +## requiring the caller to use setexeccon(). +## +## +##

+## Allow sysadm to execute all entrypoint files in +## a specified domain. This is an explicit transition, +## requiring the caller to use setexeccon(). +##

+##

+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`sysadm_entry_spec_domtrans_to',` + gen_require(` + type sysadm_t; + ') + + domain_entry_file_spec_domtrans(sysadm_t, $1) + allow $1 sysadm_t:fd use; + allow $1 sysadm_t:fifo_file rw_file_perms; + allow $1 sysadm_t:process sigchld; +') + ######################################## ## ## Allow sysadm to execute a generic bin program in diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index e69ab7c4d..b17984d9e 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,5 +1,5 @@ -policy_module(sysadm, 2.0.0) +policy_module(sysadm, 2.0.1) ######################################## #