On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:

> Here is the policy changes needed for the context contains security
> checking in PAM and cron.

Changelog

@@ -1,3 +1,4 @@
+- Context contains checking for PAM and cron from James Antill.
 - Add a reload target to Modules.devel and change the load
   target to only insert modules that were changed.
 - Allow semanage to read from /root on strict non-MLS for

policy/flask/access_vectors

@@ -635,4 +635,5 @@ class key
 class context
 {
 	translate
+	contains
 }

policy/mls

@@ -597,4 +597,7 @@ mlsconstrain association { polmatch }
 mlsconstrain context translate
 	(( h1 dom h2 ) or ( t1 == mlstranslate ));
 
+mlsconstrain context contains
+	( h1 dom h2 );
+
 ') dnl end enable_mls

policy/modules/system/userdomain.if

@@ -22,6 +22,11 @@
 ## <rolebase/>
 #
 template(`userdom_base_user_template',`
+
+	gen_require(`
+		class context contains;
+	')
+
 	attribute $1_file_type;
 
 	type $1_t, userdomain;
@@ -49,6 +54,7 @@ template(`userdom_base_user_template',`
 	allow $1_t self:sem create_sem_perms;
 	allow $1_t self:msgq create_msgq_perms;
 	allow $1_t self:msg { send receive };
+	allow $1_t self:context contains;
 	dontaudit $1_t self:socket create;
 
 	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };

policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,2.0.2)
+policy_module(userdomain,2.0.3)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;