On Mon, 2008-08-04 at 14:35 +0200, david@xxxxxxxxxxx wrote: > plain text document attachment (policy_modules_system_fstools.patch) > Mostly to allow xen/cifs/nfs file management Comments inline > Index: refpolicy/policy/modules/system/fstools.if > =================================================================== > --- refpolicy.orig/policy/modules/system/fstools.if 2008-07-19 19:15:43.000000000 +0200 > +++ refpolicy/policy/modules/system/fstools.if 2008-08-03 18:06:57.000000000 +0200 > @@ -142,3 +142,21 @@ > > allow $1 swapfile_t:file getattr; > ') > + > +######################################## > +## <summary> > +## Send signal to fsadm process > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`fstools_signal',` > + gen_require(` > + type fsadm_t; > + ') > + > + allow $1 fsadm_t:process signal; > +') This needs to be moved after fstools_exec() > Index: refpolicy/policy/modules/system/fstools.te > =================================================================== > --- refpolicy.orig/policy/modules/system/fstools.te 2008-07-19 19:15:43.000000000 +0200 > +++ refpolicy/policy/modules/system/fstools.te 2008-08-03 18:06:57.000000000 +0200 > @@ -97,6 +97,10 @@ > fs_getattr_tmpfs_dirs(fsadm_t) > fs_read_tmpfs_symlinks(fsadm_t) > > +fs_manage_nfs_files(fsadm_t) > + > +fs_manage_cifs_files(fsadm_t) I need justification for these. > mls_file_read_all_levels(fsadm_t) > mls_file_write_all_levels(fsadm_t) > > @@ -184,4 +188,9 @@ > > optional_policy(` > xen_append_log(fsadm_t) > + xen_rw_image_files(fsadm_t) > +') > + > +optional_policy(` > + unconfined_domain(fsadm_t) > ') > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
