From: Linda K. <lin...@hp...> - 2011-07-29 23:02:37
|
Added some additional rules to allow login to be spawned from the lspp_test_r, needed for the libpam/login test. I'm not totally convinced that this isn't working around a namespace context problem but we'll sort that out separately. Signed-off-by: Linda Knippers <lin...@hp...> --- audit/utils/selinux-policy/lspp_test.te | 18 +++++++++++++----- 1 files changed, 13 insertions(+), 5 deletions(-) diff --git a/audit/utils/selinux-policy/lspp_test.te b/audit/utils/selinux-policy/lspp_test.te index 8821985..52a6936 100644 --- a/audit/utils/selinux-policy/lspp_test.te +++ b/audit/utils/selinux-policy/lspp_test.te @@ -32,7 +32,7 @@ define(`ROLES_ALL',`sysadm_r secadm_r auditadm_r staff_r') # the policy_module() and gen_require() statements. # -policy_module(lspp_test,6.3.3) +policy_module(lspp_test,6.3.4) # we really shouldn't be accessing these policy constructs directly but there # isn't always a policy interface available for what we want to do, so just @@ -49,10 +49,12 @@ gen_require(` # more objects for network controls type lo_netif_t, netif_t, node_t, unlabeled_t, netlabel_peer_t; type kernel_t, inetd_t, sshd_t, ping_t; - # more objects needed for strace - type staff_t, namespace_init_t, ssh_t, user_t, setfiles_t; - # more objects needed for dmcrypt and cryptsetup - type lvm_t, fsadm_t, udev_t; + # Needed for login + type staff_t; + # more objects needed for strace + type staff_t, namespace_init_t, ssh_t, user_t, setfiles_t; + # more objects needed for dmcrypt and cryptsetup + type lvm_t, fsadm_t, udev_t; ') ### # @@ -244,6 +246,12 @@ allow initrc_t lspp_harness_t:fd use; locallogin_domtrans(lspp_harness_t) allow local_login_t user_devpts_t:chr_file { read write ioctl relabelfrom relabelto setattr getattr open }; allow local_login_t devpts_t:dir search; +# the following is needed for the libpam/login test but seems to be related +# to some questionable filesystem namespace behavior so maybe this is +# temporary. +allow local_login_t default_t:dir { read getattr open mounton relabelto rmdir setattr }; +allow staff_t lspp_test_output_t:file { write open }; +allow local_login_t var_t:dir mounton; # give the harness domain access to the sysadm lpr domain allow sysadm_lpr_t user_devpts_t:chr_file { read write }; -- 1.7.4 |