[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Wed, 01 Jun 2016 23:33:08 -0700 

commit:     e830cfda08709f50e13176b45de8c801cb155cff
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun  1 16:12:38 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun  1 18:31:01 2016 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e830cfda

consolekit: allow managing user runtime

 policy/modules/contrib/consolekit.te | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/consolekit.te 
b/policy/modules/contrib/consolekit.te
index cd02890..e02e105 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -24,8 +24,8 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
 # Local policy
 #
 
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config 
dac_override sys_nice sys_ptrace };
-allow consolekit_t self:process { getsched signal };
+allow consolekit_t self:capability { chown fowner setuid setgid sys_admin 
sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:process { getsched signal setfscreate };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
 
@@ -61,9 +61,15 @@ files_read_var_lib_files(consolekit_t)
 files_search_all_mountpoints(consolekit_t)
 
 fs_list_inotifyfs(consolekit_t)
+fs_mount_tmpfs(consolekit_t)
+fs_unmount_tmpfs(consolekit_t)
+fs_relabelfrom_tmpfs(consolekit_t)
 
 mcs_ptrace_all(consolekit_t)
 
+seutil_libselinux_linked(consolekit_t)
+seutil_read_file_contexts(consolekit_t)
+
 term_use_all_terms(consolekit_t)
 
 auth_use_nsswitch(consolekit_t)
@@ -79,6 +85,12 @@ miscfiles_read_localization(consolekit_t)
 
 userdom_dontaudit_read_user_home_content_files(consolekit_t)
 userdom_read_user_tmp_files(consolekit_t)
+userdom_manage_user_runtime_root_dirs(consolekit_t)
+userdom_manage_user_runtime_dirs(consolekit_t)
+userdom_mounton_user_runtime_dirs(consolekit_t)
+userdom_relabelto_user_runtime_dirs(consolekit_t)
+userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")
+userdom_user_runtime_root_filetrans_user_runtime(consolekit_t, dir)
 
 tunable_policy(`use_nfs_home_dirs',`
        fs_read_nfs_files(consolekit_t)

Reply via email to