From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 05 Oct 2010 13:59:13 -0400
Subject: [refpolicy] [ patch 05/44] bootloader: permission set.
In-Reply-To: <1286216636-28449-7-git-send-email-domg472@gmail.com>
References: <1286216636-28449-1-git-send-email-domg472@gmail.com>
	<1286216636-28449-7-git-send-email-domg472@gmail.com>
Message-ID: <4CAB6771.4080807@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<domg472@gmail.com>

Merged.

> :100644 100644 fee70d9... 8ae18db... M	policy/modules/admin/bootloader.te
>   policy/modules/admin/bootloader.te |    4 ++--
>   1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
> index fee70d9..8ae18db 100644
> --- a/policy/modules/admin/bootloader.te
> +++ b/policy/modules/admin/bootloader.te
> @@ -39,7 +39,7 @@ dev_node(bootloader_tmp_t)
>   #
>
>   allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
> -allow bootloader_t self:process { sigkill sigstop signull signal execmem };
> +allow bootloader_t self:process { signal_perms execmem };
>   allow bootloader_t self:fifo_file rw_fifo_file_perms;
>
>   allow bootloader_t bootloader_etc_t:file read_file_perms;
> @@ -153,7 +153,7 @@ ifdef(`distro_redhat',`
>   	allow bootloader_t self:capability ipc_lock;
>
>   	# new file system defaults to file_t, granting file_t access is still bad.
> -	allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
> +	allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };
>
>   	# new file system defaults to file_t, granting file_t access is still bad.
>   	files_manage_isid_type_dirs(bootloader_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com