From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 21 Nov 2011 11:28:14 +0000 (+0100)
Subject: Add sanlock_use_nfs and sanlock_use_samba booleans
X-Git-Tag: 000~87
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=57b1b4b08d7bf9fbb0a451cd6d2e8ee5d8c2e028;p=people%2Fstevee%2Fselinux-policy.git

Add sanlock_use_nfs and sanlock_use_samba booleans
---

diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
index 0c1e385d..96adff59 100644
--- a/policy/modules/services/sanlock.te
+++ b/policy/modules/services/sanlock.te
@@ -5,6 +5,20 @@ policy_module(sanlock,1.0.0)
 # Declarations
 #
 
+## <desc>
+##  <p>
+##  Allow confined virtual guests to manage nfs files
+##  </p>
+## </desc>
+gen_tunable(sanlock_use_nfs, false)
+
+## <desc>
+##  <p>
+##  Allow confined virtual guests to manage cifs files
+##  </p>
+## </desc>
+gen_tunable(sanlock_use_samba, false)
+
 type sanlock_t;
 type sanlock_exec_t;
 init_daemon_domain(sanlock_t, sanlock_exec_t)
@@ -61,6 +75,20 @@ init_dontaudit_write_utmp(sanlock_t)
 
 miscfiles_read_localization(sanlock_t)
 
+tunable_policy(`sanlock_use_nfs',`
+    fs_manage_nfs_dirs(sanlock_t)
+    fs_manage_nfs_files(sanlock_t)
+    fs_manage_nfs_named_sockets(sanlock_t)
+    fs_read_nfs_symlinks(sanlock_t)
+')
+
+tunable_policy(`sanlock_use_samba',`
+    fs_manage_cifs_dirs(sanlock_t)
+    fs_manage_cifs_files(sanlock_t)
+    fs_manage_cifs_named_sockets(sanlock_t)
+    fs_read_cifs_symlinks(sanlock_t)
+')
+
 optional_policy(`
 	wdmd_stream_connect(sanlock_t)
 ')