On Tue, 2006-10-31 at 11:21 -0500, Stephen Smalley wrote: > No. The ability to make the security call is controlled by the > compute_av permission on the security class, and isn't based on the > individual contexts passed as arguments. That would be: > allow $1 security_t:security compute_av; > which has an interface: > selinux_compute_access_vector($1) > which is already in authlogin.if. No change required for allowing the > call to happen. > > What you are instead trying to do is to define the _result_ of that > compute_av call based on its arguments, not whether it can be made by > login. So the TE rule would go into userdomain.if and be of the form: > allow $1 self:context <permissionname>;
Ok, I think I have it now. Both patches are at (with the renamed permission): http://people.redhat.com/jantill/pam-config_role/upstream/ -- James Antill - <[EMAIL PROTECTED]> setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...); setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...); setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
Index: policy/flask/access_vectors
===================================================================
--- policy/flask/access_vectors (revision 2065)
+++ policy/flask/access_vectors (working copy)
@@ -635,4 +635,5 @@
class context
{
translate
+ contains
}
Index: policy/modules/system/userdomain.if
===================================================================
--- policy/modules/system/userdomain.if (revision 2065)
+++ policy/modules/system/userdomain.if (working copy)
@@ -51,6 +51,8 @@
allow $1_t self:msg { send receive };
dontaudit $1_t self:socket create;
+ allow $1_t self:context contains;
+
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
term_create_pty($1_t,$1_devpts_t)
Index: policy/mls
===================================================================
--- policy/mls (revision 2065)
+++ policy/mls (working copy)
@@ -596,4 +596,7 @@
mlsconstrain context translate
(( h1 dom h2 ) or ( t1 == mlstranslate ));
+mlsconstrain context contains
+ ( h1 dom h2 );
+
') dnl end enable_mls
Index: libselinux/include/selinux/av_permissions.h
===================================================================
--- libselinux/include/selinux/av_permissions.h (revision 2074)
+++ libselinux/include/selinux/av_permissions.h (working copy)
@@ -896,3 +896,4 @@
#define KEY__SETATTR 0x00000020UL
#define KEY__CREATE 0x00000040UL
#define CONTEXT__TRANSLATE 0x00000001UL
+#define CONTEXT__CONTAINS 0x00000002UL
Index: libselinux/src/av_perm_to_string.h
===================================================================
--- libselinux/src/av_perm_to_string.h (revision 2074)
+++ libselinux/src/av_perm_to_string.h (working copy)
@@ -266,3 +266,4 @@
S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
S_(SECCLASS_KEY, KEY__CREATE, "create")
S_(SECCLASS_CONTEXT, CONTEXT__TRANSLATE, "translate")
+ S_(SECCLASS_CONTEXT, CONTEXT__CONTAINS, "contains")
signature.asc
Description: This is a digitally signed message part
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
