diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 5ef1b27..031d0eb 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add key support from Michael LeMay.
- Add ftpdctl domain to ftp, from Paul Howarth.
- Fix build system to not move type declarations out of optionals.
- Add gcc-config domain to portage.
diff --git a/refpolicy/policy/flask/access_vectors b/refpolicy/policy/flask/access_vectors
index 073da2e..6a847d1 100644
--- a/refpolicy/policy/flask/access_vectors
+++ b/refpolicy/policy/flask/access_vectors
@@ -252,6 +252,7 @@ class process
execmem
execstack
execheap
+ setkeycreate
}
@@ -617,3 +618,14 @@ class packet
recv
relabelto
}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
diff --git a/refpolicy/policy/flask/security_classes b/refpolicy/policy/flask/security_classes
index 60fd630..57f49bc 100644
--- a/refpolicy/policy/flask/security_classes
+++ b/refpolicy/policy/flask/security_classes
@@ -90,4 +90,7 @@ class appletalk_socket
class packet
+# Kernel access key retention
+class key
+
# FLASK
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index cff31cf..412a8ed 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -80,7 +80,7 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms };
+allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -214,6 +214,7 @@ sysnet_read_config(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
+userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_unpriv_users_home_content_files(xdm_t)
# Search /proc for any user domain processes.
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 62e6690..3d58f32 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -169,6 +169,7 @@ userdom_signal_all_users(local_login_t)
userdom_search_all_users_home_content(local_login_t)
userdom_use_unpriv_users_fds(local_login_t)
userdom_sigchld_all_users(local_login_t)
+userdom_create_all_users_keys(local_login_t)
# Search for mail spool file.
mta_getattr_spool(local_login_t)
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index ba8dc8a..f72a25f 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -360,6 +360,24 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
########################################
##
+## Create keys for the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_create_keys',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:key create;
+')
+
+########################################
+##
## Send messages to the unconfined domain over dbus.
##
##
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index fc6cc33..bb6212b 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -4732,6 +4732,28 @@ interface(`userdom_sigchld_all_users',`
########################################
##
+## Create keys for all user domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_create_all_users_keys',`
+ ifdef(`strict_policy',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key create;
+ ',`
+ unconfined_create_keys($1)
+ ')
+')
+
+########################################
+##
## Send a dbus message to all user domains.
##
##