A small set of updates on contrib modules
Sven Vermeulen (3):
Add aide bin /usr/bin and mark /var/lib/aide
Provide alsa_write_lib interface
Run dmidecode after newrole or on terminals
aide.fc | 3 ++-
alsa.if | 19 +++++++++++++++++++
dmidecode.te | 6 ++++--
3 files changed, 25 insertions(+), 3 deletions(-)
--
1.8.1.5
In Gentoo, the aide binary is at /usr/bin/aide.
Also, the /var/lib/aide directory itself is best labeled as aide_db_t as well to
allow aide to handle its contents.
Signed-off-by: Sven Vermeulen <[email protected]>
---
aide.fc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/aide.fc b/aide.fc
index df6e4d0..6037ccc 100644
--- a/aide.fc
+++ b/aide.fc
@@ -1,6 +1,7 @@
+/usr/bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
-/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
--
1.8.1.5
The initrc_t domain needs write privileges in the /var/lib/alsa location to
store the asound.state file generated through the alsa init script. To prepare
for this, create the alsa_write_lib interface.
Signed-off-by: Sven Vermeulen <[email protected]>
---
alsa.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/alsa.if b/alsa.if
index 708b743..ca8d8cf 100644
--- a/alsa.if
+++ b/alsa.if
@@ -256,3 +256,22 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
+
+#########################################
+## <summary>
+## Write Alsa lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_write_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
--
1.8.1.5
The dmidecode application needs to use the file descriptors often owned by the
switching process (like newrole_t after switching roles with newrole), commonly
done by administrators.
Grant this through domain_use_interactive_fds(), allowing output for dmidecode
to be displayed on such terminals.
Also update style a bit to be confirm the coding style for refpolicy.
Signed-off-by: Sven Vermeulen <[email protected]>
---
dmidecode.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/dmidecode.te b/dmidecode.te
index 6396d4b..600b0fc 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -20,13 +20,15 @@ role dmidecode_roles types dmidecode_t;
allow dmidecode_t self:capability sys_rawio;
-dev_read_sysfs(dmidecode_t)
dev_read_raw_memory(dmidecode_t)
+dev_read_sysfs(dmidecode_t)
-mls_file_read_all_levels(dmidecode_t)
+domain_use_interactive_fds(dmidecode_t)
files_list_usr(dmidecode_t)
+mls_file_read_all_levels(dmidecode_t)
+
locallogin_use_fds(dmidecode_t)
userdom_use_user_terminals(dmidecode_t)
--
1.8.1.5
On Thu, 2013-08-15 at 20:15 +0200, Sven Vermeulen wrote:
> A small set of updates on contrib modules
Merged, Thanks
>
> Sven Vermeulen (3):
> Add aide bin /usr/bin and mark /var/lib/aide
> Provide alsa_write_lib interface
> Run dmidecode after newrole or on terminals
>
> aide.fc | 3 ++-
> alsa.if | 19 +++++++++++++++++++
> dmidecode.te | 6 ++++--
> 3 files changed, 25 insertions(+), 3 deletions(-)
>