diff options
author | Nathan Straz <nstraz@redhat.com> | 2010-06-30 11:01:33 -0400 |
---|---|---|
committer | Nathan Straz <nstraz@redhat.com> | 2010-06-30 11:01:33 -0400 |
commit | cf9f0946e11149e2ea37ababc15ec6dc0904d446 (patch) | |
tree | 78cb494db5e0373c15f9aa7c6e6a04cbe7ec7281 /SELinux | |
parent | 08df7de7c7da541dd629c2d7a04a344603757eb8 (diff) | |
download | qarsh-cf9f0946e11149e2ea37ababc15ec6dc0904d446.tar.gz qarsh-cf9f0946e11149e2ea37ababc15ec6dc0904d446.tar.xz qarsh-cf9f0946e11149e2ea37ababc15ec6dc0904d446.zip |
Allow all domains more rights to qarshd_t sockets
qarshd_t sockets end up as stdin, stdout, and stderr.
Some programs will fstat them to determine what they
are or change flags on the file descriptor, this is ok.
Diffstat (limited to 'SELinux')
-rw-r--r-- | SELinux/qarshd.te.in | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/SELinux/qarshd.te.in b/SELinux/qarshd.te.in index 7936140..3c802b5 100644 --- a/SELinux/qarshd.te.in +++ b/SELinux/qarshd.te.in @@ -28,8 +28,10 @@ domain_auto_trans(unconfined_t, qarshd_exec_t, qarshd_t); # allow any transition from qarshd_t allow qarshd_t domain:process { transition }; -# allow any domain to write to qarshd_t sockets -allow domain qarshd_t:tcp_socket { write read }; +# qarshd_t sockets end up as stdin, stdout, and stderr +# for processes in other domains, let them read, write, +# fstat and ioctl on them +allow domain qarshd_t:tcp_socket { write read getattr ioctl}; # allow any domain to signal to qarshd_t process allow domain qarshd_t:process { sigchld }; |