1 |
commit: 469c67a7130b6e1700b621c59db71587e1a486b9 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 28 08:13:03 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Sep 28 17:40:45 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=469c67a7 |
7 |
|
8 |
Changes to the ddcprobe policy module |
9 |
|
10 |
Use role attributes |
11 |
Module clean up |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/ddcprobe.fc | 3 --- |
17 |
policy/modules/contrib/ddcprobe.if | 14 ++++++++------ |
18 |
policy/modules/contrib/ddcprobe.te | 8 +++++--- |
19 |
3 files changed, 13 insertions(+), 12 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/ddcprobe.fc b/policy/modules/contrib/ddcprobe.fc |
22 |
index 49e6a25..9f2a27f 100644 |
23 |
--- a/policy/modules/contrib/ddcprobe.fc |
24 |
+++ b/policy/modules/contrib/ddcprobe.fc |
25 |
@@ -1,4 +1 @@ |
26 |
-# |
27 |
-# /usr |
28 |
-# |
29 |
/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0) |
30 |
|
31 |
diff --git a/policy/modules/contrib/ddcprobe.if b/policy/modules/contrib/ddcprobe.if |
32 |
index 9868652..aeddb69 100644 |
33 |
--- a/policy/modules/contrib/ddcprobe.if |
34 |
+++ b/policy/modules/contrib/ddcprobe.if |
35 |
@@ -1,4 +1,4 @@ |
36 |
-## <summary>ddcprobe retrieves monitor and graphics card information</summary> |
37 |
+## <summary>ddcprobe retrieves monitor and graphics card information.</summary> |
38 |
|
39 |
######################################## |
40 |
## <summary> |
41 |
@@ -15,13 +15,15 @@ interface(`ddcprobe_domtrans',` |
42 |
type ddcprobe_t, ddcprobe_exec_t; |
43 |
') |
44 |
|
45 |
+ corecmd_search_bin($1) |
46 |
domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t) |
47 |
') |
48 |
|
49 |
######################################## |
50 |
## <summary> |
51 |
-## Execute ddcprobe in the ddcprobe domain, and |
52 |
-## allow the specified role the ddcprobe domain. |
53 |
+## Execute ddcprobe in the ddcprobe |
54 |
+## domain, and allow the specified |
55 |
+## role the ddcprobe domain. |
56 |
## </summary> |
57 |
## <param name="domain"> |
58 |
## <summary> |
59 |
@@ -30,16 +32,16 @@ interface(`ddcprobe_domtrans',` |
60 |
## </param> |
61 |
## <param name="role"> |
62 |
## <summary> |
63 |
-## Role to be authenticated for ddcprobe domain. |
64 |
+## Role allowed access. |
65 |
## </summary> |
66 |
## </param> |
67 |
## <rolecap/> |
68 |
# |
69 |
interface(`ddcprobe_run',` |
70 |
gen_require(` |
71 |
- type ddcprobe_t; |
72 |
+ attribute_role ddcprobe_roles; |
73 |
') |
74 |
|
75 |
ddcprobe_domtrans($1) |
76 |
- role $2 types ddcprobe_t; |
77 |
+ roleattribute $2 ddcprobe_roles; |
78 |
') |
79 |
|
80 |
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te |
81 |
index 6a22b71..ceb9bf4 100644 |
82 |
--- a/policy/modules/contrib/ddcprobe.te |
83 |
+++ b/policy/modules/contrib/ddcprobe.te |
84 |
@@ -1,14 +1,17 @@ |
85 |
-policy_module(ddcprobe, 1.2.0) |
86 |
+policy_module(ddcprobe, 1.2.1) |
87 |
|
88 |
######################################## |
89 |
# |
90 |
# Declarations |
91 |
# |
92 |
|
93 |
+attribute_role ddcprobe_roles; |
94 |
+roleattribute system_r ddcprobe_roles; |
95 |
+ |
96 |
type ddcprobe_t; |
97 |
type ddcprobe_exec_t; |
98 |
application_domain(ddcprobe_t, ddcprobe_exec_t) |
99 |
-role system_r types ddcprobe_t; |
100 |
+role ddcprobe_roles types ddcprobe_t; |
101 |
|
102 |
######################################## |
103 |
# |
104 |
@@ -48,6 +51,5 @@ userdom_use_user_terminals(ddcprobe_t) |
105 |
userdom_use_all_users_fds(ddcprobe_t) |
106 |
|
107 |
optional_policy(` |
108 |
- #reh why? this does not seem even necessary to function properly |
109 |
kudzu_getattr_exec_files(ddcprobe_t) |
110 |
') |