From c6a60bb28d9818adbf693d05938786e0d3629d0b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 14 2006 13:38:52 +0000 Subject: On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote: > Here is the policy changes needed for the context contains security > checking in PAM and cron. --- diff --git a/Changelog b/Changelog index 87fd0ff..1bdd76e 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Context contains checking for PAM and cron from James Antill. - Add a reload target to Modules.devel and change the load target to only insert modules that were changed. - Allow semanage to read from /root on strict non-MLS for diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 641dcd2..4848d25 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -635,4 +635,5 @@ class key class context { translate + contains } diff --git a/policy/mls b/policy/mls index 8ab1332..bdca162 100644 --- a/policy/mls +++ b/policy/mls @@ -597,4 +597,7 @@ mlsconstrain association { polmatch } mlsconstrain context translate (( h1 dom h2 ) or ( t1 == mlstranslate )); +mlsconstrain context contains + ( h1 dom h2 ); + ') dnl end enable_mls diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 0532edc..c47a891 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -22,6 +22,11 @@ ## # template(`userdom_base_user_template',` + + gen_require(` + class context contains; + ') + attribute $1_file_type; type $1_t, userdomain; @@ -49,6 +54,7 @@ template(`userdom_base_user_template',` allow $1_t self:sem create_sem_perms; allow $1_t self:msgq create_msgq_perms; allow $1_t self:msg { send receive }; + allow $1_t self:context contains; dontaudit $1_t self:socket create; allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 7999ffe..865fd42 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,2.0.2) +policy_module(userdomain,2.0.3) gen_require(` role sysadm_r, staff_r, user_r;