Gentoo Archives: gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/
Date:	Wed, 29 Aug 2012 18:48:58
Message-Id:	`1346263796.4f610d3cc9efa86e4d975e76e7e600d1d97ed927.SwifT@gentoo`

1	commit: 4f610d3cc9efa86e4d975e76e7e600d1d97ed927
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Wed Aug 29 18:09:56 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Aug 29 18:09:56 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4f610d3c
7
8	Support tagfiles for consolekit
9
10	Gentoo currently still uses the pam-foreground compatibility, which causes
11	ConsoleKit to set tagfiles in the pam_console tag directory (/var/run/console).
12	As /var/run is dynamic nowadays, ConsoleKit also creates the directory.
13
14	Allow ConsoleKit to create such directory with the right file transition in
15	place.
16
17	See also sys-auth/consolekit files/pam-foreground-compat.ck
18
19	---
20	policy/modules/contrib/consolekit.te \| 3 ++
21	policy/modules/system/authlogin.if \| 48 ++++++++++++++++++++++++++++++++++
22	2 files changed, 51 insertions(+), 0 deletions(-)
23
24	diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
25	index 516328a..383317e 100644
26	--- a/policy/modules/contrib/consolekit.te
27	+++ b/policy/modules/contrib/consolekit.te
28	@@ -58,7 +58,10 @@ mcs_ptrace_all(consolekit_t)
29
30	term_use_all_terms(consolekit_t)
31
32	+# consolekit daemon creates /var/run/console for tagfiles
33	+auth_generic_run_filetrans_pam_console_data(consolekit_t, dir, "console")
34	auth_use_nsswitch(consolekit_t)
35	+auth_create_pam_console_data_dirs(consolekit_t)
36	auth_manage_pam_console_data(consolekit_t)
37	auth_write_login_records(consolekit_t)
38
39
40	diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
41	index 8989233..405a9d1 100644
42	--- a/policy/modules/system/authlogin.if
43	+++ b/policy/modules/system/authlogin.if
44	@@ -1102,6 +1102,36 @@ interface(`auth_list_pam_console_data',`
45
46	########################################
47	## <summary>
48	+## Automatically transition when a resource is created in the generic run
49	+## location (/var/run or /run) to the pam console data label
50	+## (pam_var_console_t).
51	+## </summary>
52	+## <param name="domain">
53	+## <summary>
54	+## Domain allowed access
55	+## </summary>
56	+## </param>
57	+## <param name="class">
58	+## <summary>
59	+## Class of the resource created
60	+## </summary>
61	+## </param>
62	+## <param name="filename" optional="true">
63	+## <summary>
64	+## Name of the resource created (optional).
65	+## </summary>
66	+## </param>
67	+#
68	+interface(`auth_generic_run_filetrans_pam_console_data',`
69	+ gen_require(`
70	+ type pam_var_console_t;
71	+ ')
72	+
73	+ files_pid_filetrans($1, pam_var_console_t, $2, $3)
74	+')
75	+
76	+########################################
77	+## <summary>
78	## Relabel pam_console data directories.
79	## </summary>
80	## <param name="domain">
81	@@ -1140,6 +1170,24 @@ interface(`auth_read_pam_console_data',`
82
83	########################################
84	## <summary>
85	+## Create pam console data directories
86	+## </summary>
87	+## <param name="domain">
88	+## <summary>
89	+## Domain allowed access
90	+## </summary>
91	+## </param>
92	+#
93	+interface(`auth_create_pam_console_data_dirs',`
94	+ gen_require(`
95	+ type pam_var_console_t;
96	+ ')
97	+
98	+ allow $1 pam_var_console_t:dir create_dir_perms;
99	+')
100	+
101	+########################################
102	+## <summary>
103	## Create, read, write, and delete
104	## pam_console data files.
105	## </summary>

Report Message

Find on MARC Find on Google Groups