From: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu, 24 Nov 2011 11:19:45 +0000 (+0100)
Subject: Add colord_can_network_connect boolean
X-Git-Tag: 000~78^2~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9e566b36b4f404f69daa8cd47e77313f9ae934dd;p=people%2Fstevee%2Fselinux-policy.git

Add colord_can_network_connect boolean

Conflicts:

	policy/modules/services/colord.te
---

diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 25283e47..9db8952b 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -5,6 +5,13 @@ policy_module(colord, 1.0.0)
 # Declarations
 #
 
+## <desc>
+##  <p>
+##  Allow colord domain to connect to the network using TCP.
+##  </p>
+## </desc>
+gen_tunable(colord_can_network_connect, false)
+
 type colord_t;
 type colord_exec_t;
 dbus_system_domain(colord_t, colord_exec_t)
@@ -27,6 +34,7 @@ dontaudit colord_t self:capability sys_admin;
 allow colord_t self:process signal;
 allow colord_t self:fifo_file rw_fifo_file_perms;
 allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:tcp_socket create_stream_socket_perms;
 allow colord_t self:udp_socket create_socket_perms;
 allow colord_t self:unix_dgram_socket create_socket_perms;
 
@@ -93,6 +101,21 @@ userdom_rw_user_tmpfs_files(colord_t)
 
 userdom_home_reader(colord_t)
 
+tunable_policy(`colord_can_network_connect',`
+    corenet_tcp_connect_all_ports(colord_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_getattr_nfs(colord_t)
+	fs_read_nfs_files(colord_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_getattr_cifs(colord_t)
+	fs_read_cifs_files(colord_t)
+')
+>>>>>>> 5034724... Add colord_can_network_connect boolean
+
 optional_policy(`
 	cups_read_config(colord_t)
 	cups_read_rw_config(colord_t)