From d139413c64d121dad2f02af00fbc03d3eb4b3712 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 13 Jun 2007 13:54:56 +0000 Subject: [PATCH] trunk: 2 patches from dan --- policy/modules/apps/uml.if | 30 +------------ policy/modules/services/rwho.if | 76 +++++++++++++++++++++++++++++++++ policy/modules/services/rwho.te | 2 +- 3 files changed, 78 insertions(+), 30 deletions(-) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index 8a662d4ba..29dcf95fb 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -33,7 +33,6 @@ ## # template(`uml_per_role_template',` - gen_require(` type uml_ro_t, uml_exec_t; ') @@ -42,6 +41,7 @@ template(`uml_per_role_template',` # # Declarations # + type $1_uml_t; domain_type($1_uml_t) role $3 types $1_uml_t; @@ -192,34 +192,6 @@ template(`uml_per_role_template',` optional_policy(` nis_use_ypbind($1_uml_t) ') - - ifdef(`TODO',` - # for X - optional_policy(` - ifelse($1, sysadm,` - ',` - optional_policy(` - allow $1_uml_t xdm_xserver_tmp_t:dir search; - ') - allow $1_uml_t $1_xserver_tmp_t:sock_file write; - allow $1_uml_t $1_xserver_t:unix_stream_socket connectto; - ') - ') - - optional_policy(` - # for uml_net - domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t) - allow uml_net_t $1_uml_t:unix_stream_socket { read write }; - allow uml_net_t $1_uml_t:unix_dgram_socket { read write }; - dontaudit uml_net_t privfd:fd use; - can_access_pty(uml_net_t, $1_uml) - dontaudit uml_net_t $1_uml_rw_t:dir { getattr search }; - ') - #TODO - optional_policy(` - allow $1_uml_t $1_xauth_home_t:file { getattr read }; - ') - ') ') ######################################## diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if index d2d17a081..2de624739 100644 --- a/policy/modules/services/rwho.if +++ b/policy/modules/services/rwho.if @@ -1 +1,77 @@ ## Who is logged in on other machines? + +######################################## +## +## Execute a domain transition to run rwho. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`rwho_domtrans',` + gen_require(` + type rwho_t, rwho_exec_t; + ') + + domtrans_pattern($1,rwho_exec_t,rwho_t) +') + +######################################## +## +## Search rwho spool directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`rwho_search_spool',` + gen_require(` + type rwho_spool_t; + ') + + allow $1 rwho_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## +## Read rwho spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`rwho_read_spool_files',` + gen_require(` + type rwho_spool_t; + ') + + read_files_pattern($1,rwho_spool_t,rwho_spool_t) + files_search_spool($1) +') + +######################################## +## +## Create, read, write, and delete +## rwho spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`rwho_manage_spool_files',` + gen_require(` + type rwho_spool_t; + ') + + manage_files_pattern($1,rwho_spool_t,rwho_spool_t) + files_search_spool($1) +') diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te index ab2972948..d47263a51 100644 --- a/policy/modules/services/rwho.te +++ b/policy/modules/services/rwho.te @@ -1,5 +1,5 @@ -policy_module(rwho,1.0.0) +policy_module(rwho,1.0.1) ######################################## #