diff options
| author | Nathan Straz <nstraz@redhat.com> | 2010-06-30 11:01:33 -0400 |
|---|---|---|
| committer | Nathan Straz <nstraz@redhat.com> | 2010-06-30 11:01:33 -0400 |
| commit | cf9f0946e11149e2ea37ababc15ec6dc0904d446 (patch) | |
| tree | 78cb494db5e0373c15f9aa7c6e6a04cbe7ec7281 | |
| parent | 08df7de7c7da541dd629c2d7a04a344603757eb8 (diff) | |
| download | qarsh-cf9f0946e11149e2ea37ababc15ec6dc0904d446.tar.gz qarsh-cf9f0946e11149e2ea37ababc15ec6dc0904d446.tar.xz qarsh-cf9f0946e11149e2ea37ababc15ec6dc0904d446.zip | |
Allow all domains more rights to qarshd_t sockets
qarshd_t sockets end up as stdin, stdout, and stderr.
Some programs will fstat them to determine what they
are or change flags on the file descriptor, this is ok.
| -rw-r--r-- | SELinux/qarshd.te.in | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/SELinux/qarshd.te.in b/SELinux/qarshd.te.in index 7936140..3c802b5 100644 --- a/SELinux/qarshd.te.in +++ b/SELinux/qarshd.te.in @@ -28,8 +28,10 @@ domain_auto_trans(unconfined_t, qarshd_exec_t, qarshd_t); # allow any transition from qarshd_t allow qarshd_t domain:process { transition }; -# allow any domain to write to qarshd_t sockets -allow domain qarshd_t:tcp_socket { write read }; +# qarshd_t sockets end up as stdin, stdout, and stderr +# for processes in other domains, let them read, write, +# fstat and ioctl on them +allow domain qarshd_t:tcp_socket { write read getattr ioctl}; # allow any domain to signal to qarshd_t process allow domain qarshd_t:process { sigchld }; |