[refpolicy] [PATCH 2/5] Introduce interface to relabel from/to pidfile associated types

Sven Vermeulen sven.vermeulen at siphos.be
Thu Aug 7 14:05:35 EDT 2014


This interface can be used by domains needing wide relabel privileges
towards the *_var_run_t and var_run_t types.

Signed-off-by: Jason Zaman <jason at perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 policy/modules/kernel/files.if | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f2da032..fd56414 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6304,6 +6304,28 @@ interface(`files_delete_all_pid_dirs',`
 	delete_dirs_pattern($1, pidfile, pidfile)
 ')
 
+#########################################
+## <summary>
+##	Allow relabeling from and to any pidfile associated type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:dir list_dir_perms;
+
+	relabel_dirs_pattern($1, pidfile, pidfile)
+	relabel_files_pattern($1, pidfile, pidfile)
+	relabel_lnk_files_pattern($1, pidfile, pidfile)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write and delete all
-- 
1.8.5.5



More information about the refpolicy mailing list