1 |
commit: d12c961da29084ced47ff21373925c02fc73e022 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Sat Jul 11 09:15:46 2015 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jul 30 16:41:28 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d12c961d |
7 |
|
8 |
Introduce setrans_admin interface |
9 |
|
10 |
policy/modules/roles/sysadm.te | 4 ++++ |
11 |
policy/modules/system/setrans.if | 31 +++++++++++++++++++++++++++++++ |
12 |
2 files changed, 35 insertions(+) |
13 |
|
14 |
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
15 |
index 5901b2f..e96c1fd 100644 |
16 |
--- a/policy/modules/roles/sysadm.te |
17 |
+++ b/policy/modules/roles/sysadm.te |
18 |
@@ -952,6 +952,10 @@ optional_policy(` |
19 |
') |
20 |
|
21 |
optional_policy(` |
22 |
+ setrans_admin(sysadm_t, sysadm_r) |
23 |
+') |
24 |
+ |
25 |
+optional_policy(` |
26 |
setroubleshoot_admin(sysadm_t, sysadm_r) |
27 |
') |
28 |
|
29 |
|
30 |
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if |
31 |
index efa9c27..2a8ecaa 100644 |
32 |
--- a/policy/modules/system/setrans.if |
33 |
+++ b/policy/modules/system/setrans.if |
34 |
@@ -40,3 +40,34 @@ interface(`setrans_translate_context',` |
35 |
stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) |
36 |
files_list_pids($1) |
37 |
') |
38 |
+ |
39 |
+###################################### |
40 |
+## <summary> |
41 |
+## All of the rules required to |
42 |
+## administrate an setrans environment. |
43 |
+## </summary> |
44 |
+## <param name="domain"> |
45 |
+## <summary> |
46 |
+## Domain allowed access. |
47 |
+## </summary> |
48 |
+## </param> |
49 |
+## <param name="role"> |
50 |
+## <summary> |
51 |
+## Role allowed access. |
52 |
+## </summary> |
53 |
+## </param> |
54 |
+# |
55 |
+interface(`setrans_admin',` |
56 |
+ gen_require(` |
57 |
+ type setrans_t, setrans_initrc_exec_t; |
58 |
+ type setrans_var_run_t; |
59 |
+ ') |
60 |
+ |
61 |
+ allow $1 setrans_t:process { ptrace signal_perms }; |
62 |
+ ps_process_pattern($1, setrans_t) |
63 |
+ |
64 |
+ init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t) |
65 |
+ |
66 |
+ files_search_pids($1) |
67 |
+ admin_pattern($1, setrans_var_run_t) |
68 |
+') |