Aisexec patch from Miroslav Grepl.

* openais needs ipc_owner and read/write user SysV sempaphores/shared memory
2025-02-21 23:16:58 +00:00 · 2011-03-21 11:23:26 -04:00 · 2011-03-21 11:23:26 -04:00 · ec5d81e1ca
commit ec5d81e1ca
parent 6c4f41ced1
3 changed files with 43 additions and 3 deletions
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
@ -1,4 +1,4 @@
-policy_module(aisexec, 1.0.0)
+policy_module(aisexec, 1.0.1)

 ########################################
 #
@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
 # aisexec local policy
 #

-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
 allow aisexec_t self:process { setrlimit setsched signal };
 allow aisexec_t self:fifo_file rw_fifo_file_perms;
 allow aisexec_t self:sem create_sem_perms;
@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t)

 miscfiles_read_localization(aisexec_t)

+userdom_rw_unpriv_user_semaphores(aisexec_t)
+userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
 optional_policy(`
 	ccs_stream_connect(aisexec_t)
 ')
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -2736,6 +2736,24 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')

+#######################################
+## <summary>
+##	Read and write unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_semaphores',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV sempaphores.
@ -2754,6 +2772,25 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 	allow $1 unpriv_userdomain:sem create_sem_perms;
 ')

+#######################################
+## <summary>
+##	Read and write unpriviledged user SysV shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_shared_mem',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:shm rw_shm_perms;
+')
+
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV shared
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@ -1,4 +1,4 @@
-policy_module(userdomain, 4.5.0)
+policy_module(userdomain, 4.5.1)

 ########################################
 #