diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2009-09-28 15:40:06 -0400 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-09-28 15:40:06 -0400 |
| commit | 4be8dd10b9a273eef78e2221270826d6305b575b (patch) | |
| tree | 865187d91c92ae2ba3cc6c3b9f3ea2e7c70a1613 | |
| parent | 5a6b1fe2b4a1cd69b0c8c54772b88fdf9201c3be (diff) | |
add seunshare from dan.
| -rw-r--r-- | Changelog | 1 | ||||
| -rw-r--r-- | policy/modules/apps/seunshare.fc | 1 | ||||
| -rw-r--r-- | policy/modules/apps/seunshare.if | 72 | ||||
| -rw-r--r-- | policy/modules/apps/seunshare.te | 35 |
4 files changed, 109 insertions, 0 deletions
@@ -18,6 +18,7 @@ modemmanager(Dan Walsh) nslcd (Dan Walsh) rtkit (Dan Walsh) + seunshare (Dan Walsh) shorewall (Dan Walsh) xscreensaver (Corentin Labbe) diff --git a/policy/modules/apps/seunshare.fc b/policy/modules/apps/seunshare.fc new file mode 100644 index 00000000..30a4b9fd --- /dev/null +++ b/policy/modules/apps/seunshare.fc @@ -0,0 +1 @@ +/usr/sbin/seunshare -- gen_context(system_u:object_r:seunshare_exec_t,s0) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if new file mode 100644 index 00000000..dbdf4485 --- /dev/null +++ b/policy/modules/apps/seunshare.if @@ -0,0 +1,72 @@ +## <summary>Filesystem namespacing/polyinstantiation application.</summary> + +######################################## +## <summary> +## Execute a domain transition to run seunshare. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`seunshare_domtrans',` + gen_require(` + type seunshare_t, seunshare_exec_t; + ') + + domtrans_pattern($1, seunshare_exec_t, seunshare_t) +') + +######################################## +## <summary> +## Execute seunshare in the seunshare domain, and +## allow the specified role the seunshare domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`seunshare_run',` + gen_require(` + type seunshare_t; + ') + + seunshare_domtrans($1) + role $2 types seunshare_t; +') + +######################################## +## <summary> +## Role access for seunshare +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`seunshare_role',` + gen_require(` + type seunshare_t; + ') + + role $2 types seunshare_t; + + seunshare_domtrans($1) + + ps_process_pattern($2, seunshare_t) + allow $2 seunshare_t:process signal; +') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te new file mode 100644 index 00000000..dcec4bf1 --- /dev/null +++ b/policy/modules/apps/seunshare.te @@ -0,0 +1,35 @@ + +policy_module(seunshare, 1.0.0) + +######################################## +# +# Declarations +# + +type seunshare_t; +type seunshare_exec_t; +application_domain(seunshare_t, seunshare_exec_t) +role system_r types seunshare_t; + +######################################## +# +# seunshare local policy +# + +allow seunshare_t self:capability setpcap; +allow seunshare_t self:process { setexec signal getcap setcap }; + +allow seunshare_t self:fifo_file rw_file_perms; +allow seunshare_t self:unix_stream_socket create_stream_socket_perms; + +corecmd_exec_shell(seunshare_t) +corecmd_exec_bin(seunshare_t) + +files_read_etc_files(seunshare_t) +files_mounton_all_poly_members(seunshare_t) + +auth_use_nsswitch(seunshare_t) + +miscfiles_read_localization(seunshare_t) + +userdom_use_user_terminals(seunshare_t) |