From c6a60bb28d9818adbf693d05938786e0d3629d0b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 14 Nov 2006 13:38:52 +0000 Subject: [PATCH] On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote: > Here is the policy changes needed for the context contains security > checking in PAM and cron. --- Changelog | 1 + policy/flask/access_vectors | 1 + policy/mls | 3 +++ policy/modules/system/userdomain.if | 6 ++++++ policy/modules/system/userdomain.te | 2 +- 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 87fd0ff08..1bdd76e70 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Context contains checking for PAM and cron from James Antill. - Add a reload target to Modules.devel and change the load target to only insert modules that were changed. - Allow semanage to read from /root on strict non-MLS for diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 641dcd23d..4848d2591 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -635,4 +635,5 @@ class key class context { translate + contains } diff --git a/policy/mls b/policy/mls index 8ab1332fc..bdca162b8 100644 --- a/policy/mls +++ b/policy/mls @@ -597,4 +597,7 @@ mlsconstrain association { polmatch } mlsconstrain context translate (( h1 dom h2 ) or ( t1 == mlstranslate )); +mlsconstrain context contains + ( h1 dom h2 ); + ') dnl end enable_mls diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 0532edcd2..c47a891ba 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -22,6 +22,11 @@ ## # template(`userdom_base_user_template',` + + gen_require(` + class context contains; + ') + attribute $1_file_type; type $1_t, userdomain; @@ -49,6 +54,7 @@ template(`userdom_base_user_template',` allow $1_t self:sem create_sem_perms; allow $1_t self:msgq create_msgq_perms; allow $1_t self:msg { send receive }; + allow $1_t self:context contains; dontaudit $1_t self:socket create; allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 7999ffe4e..865fd4218 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,2.0.2) +policy_module(userdomain,2.0.3) gen_require(` role sysadm_r, staff_r, user_r;