[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Sun, 18 May 2014 04:04:19 -0700 

commit:     e272b12c0e2345b698444b24675566a014e0ae75
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 18 11:01:54 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 18 11:01:54 2014 +0000
URL:        
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e272b12c

Introduce cachefilesd_kernel_t for cachefiles

When the Linux kernel is acting for cachefilesd, it does so through the
defined context. As the module is called cachefilesd, we call it
cachefilesd_kernel_t (unlike fedora, which uses cachefiles_kernel_t).

Port changes from fedora to use the kernel_service class into this
module as well.

---
 policy/modules/contrib/cachefilesd.te | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/policy/modules/contrib/cachefilesd.te 
b/policy/modules/contrib/cachefilesd.te
index a3760bc..353aa85 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -50,3 +50,34 @@ init_dontaudit_use_script_ptys(cachefilesd_t)
 optional_policy(`
        rpm_use_script_fds(cachefilesd_t)
 ')
+
+ifdef(`distro_gentoo',`
+       type cachefilesd_kernel_t;
+       domain_type(cachefilesd_kernel_t)
+       domain_obj_id_change_exemption(cachefilesd_kernel_t)
+       role system_r types cachefilesd_kernel_t;
+
+       # CacheFiles tells the Linux kernel for which security context
+       # it should act to begin caching.
+
+       # Allow cachefilesd_t to tell the kernel to use cachefilesd_kernel_t)
+       allow cachefilesd_t cachefilesd_kernel_t:kernel_service { 
use_as_override };
+
+       # Allow cachefilesd_t to tell the kernel to write files as 
cachefilesd_cache_t
+       allow cachefilesd_t cachefilesd_cache_t:kernel_service { 
create_files_as };
+
+       ##########################################
+       #
+       # cachefilesd_kernel_t policy
+       #
+       allow cachefilesd_kernel_t self:capability { dac_override 
dac_read_search };
+
+       manage_dirs_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, 
cachefilesd_cache_t)
+       manage_files_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, 
cachefilesd_cache_t)
+
+       fs_getattr_xattr_fs(cachefilesd_kernel_t)
+
+       dev_search_sysfs(cachefilesd_kernel_t)
+
+       init_sigchld_script(cachefilesd_kernel_t)
+')

Reply via email to