- Let all uncofined domains communicate with dbus unconfined
This commit is contained in:
parent
673eaaeafb
commit
0ec33db4ff
@ -6003,7 +6003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
|
|||||||
-')
|
-')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-21 02:47:15.000000000 -0500
|
||||||
@@ -91,7 +91,7 @@
|
@@ -91,7 +91,7 @@
|
||||||
# SE-DBus specific permissions
|
# SE-DBus specific permissions
|
||||||
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
||||||
@ -6043,13 +6043,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
|
|
||||||
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||||
files_search_var_lib($2)
|
files_search_var_lib($2)
|
||||||
@@ -366,3 +367,35 @@
|
@@ -263,6 +264,7 @@
|
||||||
|
|
||||||
|
# For connecting to the bus
|
||||||
|
allow $3 $1_dbusd_t:unix_stream_socket connectto;
|
||||||
|
+ allow dbusd_unconfined $1_dbusd_t:dbus *;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -366,3 +368,53 @@
|
||||||
|
|
||||||
allow $1 system_dbusd_t:dbus *;
|
allow $1 system_dbusd_t:dbus *;
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
|
+## Allow unconfined access to the system DBUS.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`dbus_unconfined',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute dbusd_unconfined;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ typeattribute $1 dbusd_unconfined;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
+## Create a domain for processes
|
+## Create a domain for processes
|
||||||
+## which can be started by the system dbus
|
+## which can be started by the system dbus
|
||||||
+## </summary>
|
+## </summary>
|
||||||
@ -6079,6 +6105,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
|||||||
+
|
+
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.2.5/policy/modules/services/dbus.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
|
+++ serefpolicy-3.2.5/policy/modules/services/dbus.te 2007-12-21 02:47:39.000000000 -0500
|
||||||
|
@@ -9,6 +9,7 @@
|
||||||
|
#
|
||||||
|
# Delcarations
|
||||||
|
#
|
||||||
|
+attribute dbusd_unconfined;
|
||||||
|
|
||||||
|
type dbusd_etc_t alias etc_dbusd_t;
|
||||||
|
files_type(dbusd_etc_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.5/policy/modules/services/dcc.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.5/policy/modules/services/dcc.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/dcc.if 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/dcc.if 2007-12-19 05:38:09.000000000 -0500
|
||||||
@ -12898,7 +12935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||||||
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
|
||||||
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2007-12-19 05:38:09.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2007-12-21 02:36:38.000000000 -0500
|
||||||
@@ -8,7 +8,7 @@
|
@@ -8,7 +8,7 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -12982,7 +13019,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -192,4 +200,26 @@
|
@@ -175,6 +183,11 @@
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
|
||||||
|
+optional_policy(`
|
||||||
|
+ lvm_domtrans(mount_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
# for kernel package installation
|
||||||
|
optional_policy(`
|
||||||
|
rpm_rw_pipes(mount_t)
|
||||||
|
@@ -192,4 +205,26 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
||||||
unconfined_domain(unconfined_mount_t)
|
unconfined_domain(unconfined_mount_t)
|
||||||
@ -12995,9 +13044,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||||||
+#
|
+#
|
||||||
+# ntfs local policy
|
+# ntfs local policy
|
||||||
+#
|
+#
|
||||||
+allow mount_t self:fifo_file { read write };
|
+allow mount_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
|
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
+allow mount_t self:unix_dgram_socket { connect create };
|
+allow mount_t self:unix_dgram_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
+corecmd_exec_shell(mount_t)
|
+corecmd_exec_shell(mount_t)
|
||||||
+
|
+
|
||||||
@ -13843,7 +13892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
|
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.5/policy/modules/system/unconfined.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.5/policy/modules/system/unconfined.if
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-19 16:24:05.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-21 02:48:29.000000000 -0500
|
||||||
@@ -12,14 +12,13 @@
|
@@ -12,14 +12,13 @@
|
||||||
#
|
#
|
||||||
interface(`unconfined_domain_noaudit',`
|
interface(`unconfined_domain_noaudit',`
|
||||||
@ -13878,7 +13927,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
|
|
||||||
kernel_unconfined($1)
|
kernel_unconfined($1)
|
||||||
corenet_unconfined($1)
|
corenet_unconfined($1)
|
||||||
@@ -581,7 +581,6 @@
|
@@ -70,6 +70,7 @@
|
||||||
|
optional_policy(`
|
||||||
|
# Communicate via dbusd.
|
||||||
|
dbus_system_bus_unconfined($1)
|
||||||
|
+ dbus_unconfined($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
@@ -581,7 +582,6 @@
|
||||||
interface(`unconfined_dbus_connect',`
|
interface(`unconfined_dbus_connect',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type unconfined_t;
|
type unconfined_t;
|
||||||
@ -13886,7 +13943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 unconfined_t:dbus acquire_svc;
|
allow $1 unconfined_t:dbus acquire_svc;
|
||||||
@@ -589,7 +588,7 @@
|
@@ -589,7 +589,7 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -13895,7 +13952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -597,20 +596,53 @@
|
@@ -597,20 +597,53 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -13956,7 +14013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -618,31 +650,132 @@
|
@@ -618,31 +651,132 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.2.5
|
Version: 3.2.5
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -386,6 +386,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-4
|
||||||
|
- Let all uncofined domains communicate with dbus unconfined
|
||||||
|
|
||||||
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-3
|
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-3
|
||||||
- Run rpm in system_r
|
- Run rpm in system_r
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user