From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 09 Sep 2010 08:21:30 -0400 Subject: [refpolicy] [Various 4/5] Implement seutil_domtrans_setsebool and add a call to this interface for the following domains: rpm_script_t, setroubelshoot_fixit_t, anaconda_t. In-Reply-To: <20100909121105.GA16089@localhost.localdomain> References: <20100903142417.GA26367@localhost.localdomain> <4C88CE06.9040609@tresys.com> <20100909121105.GA16089@localhost.localdomain> Message-ID: <4C88D14A.3080503@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/09/2010 08:11 AM, Dominick Grift wrote: > On Thu, Sep 09, 2010 at 08:07:34AM -0400, Christopher J. PeBenito wrote: >> On 09/03/10 10:24, Dominick Grift wrote: >>> Signed-off-by: Dominick Grift >> >> Setsebool_t does not exist upstream. > > Yes, i redid it (see my other patch) after i figured that out. However i do not like how Fedora implemented that solution either and i wouldnt be surprised if you dont like it either > I would be willing to change the Fedora mechanism, if you can get something upstream. Of course until we get labeled booleans into modules, there is limited advantages to this. >> >>> --- >>> :100644 100644 96f68e9... d1ebb91... M policy/modules/admin/anaconda.te >>> :100644 100644 1a08320... e7312eb... M policy/modules/admin/rpm.te >>> :100644 100644 3d17148... 3a2351b... M policy/modules/services/setroubleshoot.te >>> :100644 100644 170e2c7... cecca76... M policy/modules/system/selinuxutil.if >>> policy/modules/admin/anaconda.te | 1 + >>> policy/modules/admin/rpm.te | 1 + >>> policy/modules/services/setroubleshoot.te | 1 + >>> policy/modules/system/selinuxutil.if | 20 ++++++++++++++++++++ >>> 4 files changed, 23 insertions(+), 0 deletions(-) >>> >>> diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te >>> index 96f68e9..d1ebb91 100644 >>> --- a/policy/modules/admin/anaconda.te >>> +++ b/policy/modules/admin/anaconda.te >>> @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) >>> modutils_domtrans_depmod(anaconda_t) >>> >>> seutil_domtrans_semanage(anaconda_t) >>> +seutil_domtrans_setsebool(anaconda_t) >>> >>> userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) >>> >>> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te >>> index 1a08320..e7312eb 100644 >>> --- a/policy/modules/admin/rpm.te >>> +++ b/policy/modules/admin/rpm.te >>> @@ -334,6 +334,7 @@ modutils_domtrans_insmod(rpm_script_t) >>> seutil_domtrans_loadpolicy(rpm_script_t) >>> seutil_domtrans_setfiles(rpm_script_t) >>> seutil_domtrans_semanage(rpm_script_t) >>> +seutil_domtrans_setsebool(rpm_script_t) >>> >>> userdom_use_all_users_fds(rpm_script_t) >>> >>> diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te >>> index 3d17148..3a2351b 100644 >>> --- a/policy/modules/services/setroubleshoot.te >>> +++ b/policy/modules/services/setroubleshoot.te >>> @@ -150,6 +150,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) >>> corecmd_exec_shell(setroubleshoot_fixit_t) >>> >>> seutil_domtrans_setfiles(setroubleshoot_fixit_t) >>> +seutil_domtrans_setsebool(setroubleshoot_fixit_t) >>> >>> files_read_usr_files(setroubleshoot_fixit_t) >>> files_read_etc_files(setroubleshoot_fixit_t) >>> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if >>> index 170e2c7..cecca76 100644 >>> --- a/policy/modules/system/selinuxutil.if >>> +++ b/policy/modules/system/selinuxutil.if >>> @@ -1038,6 +1038,26 @@ interface(`seutil_run_semanage',` >>> >>> ######################################## >>> ##

>>> +## Execute a domain transition to run setsebool. >>> +##

>>> +## >>> +##

>>> +## Domain allowed to transition. >>> +##

>>> +## >>> +# >>> +interface(`seutil_domtrans_setsebool',` >>> + gen_require(` >>> + type setsebool_t, setsebool_exec_t; >>> + ') >>> + >>> + files_search_usr($1) >>> + corecmd_search_bin($1) >>> + domtrans_pattern($1, setsebool_exec_t, setsebool_t) >>> +') >>> + >>> +######################################## >>> +##

>>> ## Full management of the semanage >>> ## module store. >>> ##

>>> >>> >>> >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >> >> >> -- >> Chris PeBenito >> Tresys Technology, LLC >> www.tresys.com | oss.tresys.com >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyI0UoACgkQrlYvE4MpobNa0wCff6qekpQL9heXjHWFqqf3fRRz DgsAn2SeQb440VxYZiPE+ZOJwj4slgCI =gVS8 -----END PGP SIGNATURE-----