Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing Listopenct modifications
From: dwalsh_at_redhat.com
Date: Wed, 30 May 2007 10:38:34 -0400
#
--- nsaserefpolicy/policy/modules/services/openct.if 2007-05-29 14:10:57.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/services/openct.if 2007-05-30 09:08:15.000000000 -0400 @@ -1 +1,82 @@ ## <summary>Service for handling smart card readers.</summary> + +######################################## +## <summary> +## Execute a domain transition to run openct. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`openct_domtrans',` + gen_require(` + type openct_t, openct_exec_t; + ') + + domain_auto_trans($1,openct_exec_t,openct_t) + + allow openct_t $1:fd use; + allow openct_t $1:fifo_file rw_file_perms; + allow openct_t $1:process sigchld; +') + +######################################## +## <summary> +## Read openct PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_read_pid_files',` + gen_require(` + type openct_var_run_t; + ') + + files_search_pids($1) + allow $1 openct_var_run_t:dir search_dir_perms; + allow $1 openct_var_run_t:file r_file_perms; +') + +######################################## +## <summary> +## Connect to openct over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_stream_connect',` + gen_require(` + type openct_t, openct_var_run_t; + ') + + files_search_pids($1) + allow $1 openct_var_run_t:dir search_dir_perms; + allow $1 openct_var_run_t:sock_file write; + allow $1 openct_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Send openct a null signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_signull',` + gen_require(` + type openct_t; + ') + + allow $1 openct_t:process signull; +') --- nsaserefpolicy/policy/modules/services/openct.te 2007-05-29 14:10:57.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/services/openct.te 2007-05-30 09:08:15.000000000 -0400 @@ -21,9 +21,13 @@ dontaudit openct_t self:capability sys_tty_config; allow openct_t self:process signal_perms;
+can_exec(openct_t,openct_exec_t)
+corecmd_search_bin(openct_t)
kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) kernel_read_proc_symlinks(openct_t) @@ -31,6 +35,8 @@ dev_read_sysfs(openct_t) # openct asks for this dev_rw_usbfs(openct_t) +dev_rw_smartcard(openct_t) +dev_rw_generic_usb_dev(openct_t) domain_use_interactive_fds(openct_t) -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 30 May 2007 - 13:37:41 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |