From 06835b2846d78f54d95526795131c0dfc933985b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 14 2009 13:03:50 +0000 Subject: - Add ptchown policy from Dan Walsh --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 28ad58f..cd6fd42 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -505,6 +505,13 @@ hal = module # polkit = module +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + # Layer: services # Module: psad # diff --git a/modules-targeted.conf b/modules-targeted.conf index 152f015..d91ca9b 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -519,6 +519,13 @@ hal = module # polkit = module +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + # Layer: services # Module: psad # diff --git a/policy-20080710.patch b/policy-20080710.patch index 9013b0f..1f9f40e 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -5403,6 +5403,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut miscfiles_read_localization(podsleuth_t) dbus_system_bus_client_template(podsleuth, podsleuth_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.5.13/policy/modules/apps/ptchown.fc +--- nsaserefpolicy/policy/modules/apps/ptchown.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/apps/ptchown.fc 2009-08-14 14:12:49.000000000 +0200 +@@ -0,0 +1,2 @@ ++ ++/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.5.13/policy/modules/apps/ptchown.if +--- nsaserefpolicy/policy/modules/apps/ptchown.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/apps/ptchown.if 2009-08-14 14:12:49.000000000 +0200 +@@ -0,0 +1,22 @@ ++ ++## helper function for grantpt(3), changes ownship and permissions of pseudotty ++ ++######################################## ++## ++## Execute a domain transition to run ptchown. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ptchown_domtrans',` ++ gen_require(` ++ type ptchown_t; ++ type ptchown_exec_t; ++ ') ++ ++ domtrans_pattern($1,ptchown_exec_t,ptchown_t) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.5.13/policy/modules/apps/ptchown.te +--- nsaserefpolicy/policy/modules/apps/ptchown.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/apps/ptchown.te 2009-08-14 14:13:12.000000000 +0200 +@@ -0,0 +1,38 @@ ++policy_module(ptchown,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ptchown_t; ++type ptchown_exec_t; ++application_domain(ptchown_t, ptchown_exec_t) ++role system_r types ptchown_t; ++ ++permissive ptchown_t; ++ ++######################################## ++# ++# ptchown local policy ++# ++ ++allow ptchown_t self:capability { fowner chown setuid }; ++allow ptchown_t self:process { getcap setcap }; ++ ++# Init script handling ++domain_use_interactive_fds(ptchown_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow ptchown_t self:fifo_file rw_file_perms; ++allow ptchown_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(ptchown_t) ++ ++fs_rw_anon_inodefs_files(ptchown_t) ++ ++term_use_generic_ptys(ptchown_t) ++term_setattr_generic_ptys(ptchown_t) ++term_setattr_all_user_ptys(ptchown_t) ++ ++miscfiles_read_localization(ptchown_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.5.13/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-10-17 14:49:14.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/apps/qemu.fc 2009-02-25 19:55:15.000000000 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index 25f4cdd..bddd661 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 68%{?dist} +Release: 69%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -462,6 +462,9 @@ exit 0 %endif %changelog +* Fri Aug 14 2009 Miroslav Grepl 3.5.13-69 +- Add ptchown policy from Dan Walsh + * Fri Jul 31 2009 Miroslav Grepl 3.5.13-68 - Allow lircd read/write input event devices