trunk: add labeled networking support to unconfined.

2007-11-14 14:38:45 +00:00 · 2007-11-14 14:38:45 +00:00 · bdccbacdd6
parent a56055e362
commit bdccbacdd6
5 changed files with 33 additions and 8 deletions
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@ -1,5 +1,5 @@
-policy_module(domain,1.4.3)
+policy_module(domain,1.4.4)
 ########################################
 #
@ -145,3 +145,6 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@ -112,6 +112,24 @@ interface(`ipsec_manage_pid',`
 	manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
 ')
 ########################################
 ## <summary>
 ##      Allow to set an default security context of IPsec Policy.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 #
 interface(`ipsec_setcontext_default_spd',`
 	gen_require(`
 		type ipsec_spd_t;
 	')
 	allow $1 ipsec_spd_t:association setcontext;
 ')
 ########################################
 ## <summary>
 ##	Execute racoon in the racoon domain.
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@ -1,5 +1,5 @@
-policy_module(ipsec,1.4.2)
+policy_module(ipsec,1.4.3)
 ########################################
 #
@ -297,8 +297,6 @@ allow racoon_t ipsec_key_file_t:dir list_dir_perms;
 read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 allow racoon_t ipsec_spd_t:association setcontext;
 kernel_read_network_state(racoon_t)
 corenet_all_recvfrom_unlabeled(racoon_t)
@ -315,6 +313,8 @@ files_read_etc_files(racoon_t)
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
 ipsec_setcontext_default_spd(racoon_t)
 libs_use_ld_so(racoon_t)
 libs_use_shared_libs(racoon_t)
@ -338,9 +338,6 @@ allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
 read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
 read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
 # allow setkey to set the context for ipsec SAs and policy.
 allow setkey_t ipsec_spd_t:association setcontext;
 # allow setkey utility to set contexts on SA's and policy
 domain_ipsec_setcontext_all_domains(setkey_t)
@ -348,6 +345,9 @@ files_read_etc_files(setkey_t)
 init_dontaudit_use_fds(setkey_t)
 # allow setkey to set the context for ipsec SAs and policy.
 ipsec_setcontext_default_spd(setkey_t)
 locallogin_use_fds(setkey_t)
 libs_use_ld_so(setkey_t)
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@ -72,6 +72,10 @@ interface(`unconfined_domain_noaudit',`
 		dbus_system_bus_unconfined($1)
 	')
 	optional_policy(`
 		ipsec_setcontext_default_spd($1)
 	')
 	optional_policy(`
 		# this is to handle execmod on shared
 		# libs with text relocations
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@ -1,5 +1,5 @@
-policy_module(unconfined,2.0.0)
+policy_module(unconfined,2.0.1)
 ########################################
 #