- Fixes for xguest package
This commit is contained in:
Miroslav
parent
e91d876567
commit
1094d02fe9
@ -584,7 +584,7 @@ index 0bfc958..af95b7a 100644
|
||||
optional_policy(`
|
||||
cron_system_entry(backup_t, backup_exec_t)
|
||||
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
|
||||
index 7a6f06f..39f1adf 100644
|
||||
index 7a6f06f..3cf6457 100644
|
||||
--- a/policy/modules/admin/bootloader.fc
|
||||
+++ b/policy/modules/admin/bootloader.fc
|
||||
@@ -1,9 +1,11 @@
|
||||
@ -600,7 +600,7 @@ index 7a6f06f..39f1adf 100644
|
||||
|
||||
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
+/sur/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
+/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
|
||||
index 63eb96b..d7a6063 100644
|
||||
@ -4322,7 +4322,7 @@ index 81fb26f..66cf96c 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 441cf22..6bcfc8c 100644
|
||||
index 441cf22..a2987d7 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
|
||||
@ -4522,17 +4522,23 @@ index 441cf22..6bcfc8c 100644
|
||||
files_search_var_lib(useradd_t)
|
||||
files_relabel_etc_files(useradd_t)
|
||||
files_read_etc_runtime_files(useradd_t)
|
||||
@@ -460,6 +477,7 @@ fs_search_auto_mountpoints(useradd_t)
|
||||
@@ -460,17 +477,15 @@ fs_search_auto_mountpoints(useradd_t)
|
||||
fs_getattr_xattr_fs(useradd_t)
|
||||
|
||||
mls_file_upgrade(useradd_t)
|
||||
+mls_process_read_to_clearance(useradd_t)
|
||||
|
||||
# Allow access to context for shadow file
|
||||
selinux_get_fs_mount(useradd_t)
|
||||
@@ -469,8 +487,8 @@ selinux_compute_create_context(useradd_t)
|
||||
selinux_compute_relabel_context(useradd_t)
|
||||
selinux_compute_user_contexts(useradd_t)
|
||||
-# Allow access to context for shadow file
|
||||
-selinux_get_fs_mount(useradd_t)
|
||||
-selinux_validate_context(useradd_t)
|
||||
-selinux_compute_access_vector(useradd_t)
|
||||
-selinux_compute_create_context(useradd_t)
|
||||
-selinux_compute_relabel_context(useradd_t)
|
||||
-selinux_compute_user_contexts(useradd_t)
|
||||
+seutil_semanage_policy(useradd_t)
|
||||
+seutil_manage_file_contexts(useradd_t)
|
||||
+seutil_manage_config(useradd_t)
|
||||
+seutil_manage_default_contexts(useradd_t)
|
||||
|
||||
-term_use_all_ttys(useradd_t)
|
||||
-term_use_all_ptys(useradd_t)
|
||||
@ -4541,7 +4547,7 @@ index 441cf22..6bcfc8c 100644
|
||||
|
||||
auth_domtrans_chk_passwd(useradd_t)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
@@ -478,6 +496,7 @@ auth_rw_faillog(useradd_t)
|
||||
@@ -478,6 +493,7 @@ auth_rw_faillog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
# these may be unnecessary due to the above
|
||||
# domtrans_chk_passwd() call.
|
||||
@ -4549,7 +4555,7 @@ index 441cf22..6bcfc8c 100644
|
||||
auth_manage_shadow(useradd_t)
|
||||
auth_relabel_shadow(useradd_t)
|
||||
auth_etc_filetrans_shadow(useradd_t)
|
||||
@@ -495,24 +514,19 @@ seutil_read_file_contexts(useradd_t)
|
||||
@@ -495,24 +511,19 @@ seutil_read_file_contexts(useradd_t)
|
||||
seutil_read_default_contexts(useradd_t)
|
||||
seutil_domtrans_semanage(useradd_t)
|
||||
seutil_domtrans_setfiles(useradd_t)
|
||||
@ -22966,10 +22972,10 @@ index 0000000..bac0dc0
|
||||
+
|
||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||
new file mode 100644
|
||||
index 0000000..90af157
|
||||
index 0000000..692ef0d
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/roles/unconfineduser.te
|
||||
@@ -0,0 +1,379 @@
|
||||
@@ -0,0 +1,383 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -23323,6 +23329,10 @@ index 0000000..90af157
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ usermanage_run_useradd(unconfined_t, unconfined_r)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ vbetool_run(unconfined_t, unconfined_r)
|
||||
+')
|
||||
+
|
||||
@ -46681,7 +46691,7 @@ index e9c0982..ac7e846 100644
|
||||
+ mysql_stream_connect($1)
|
||||
')
|
||||
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
|
||||
index 0a0d63c..8fcabd8 100644
|
||||
index 0a0d63c..2f51d5a 100644
|
||||
--- a/policy/modules/services/mysql.te
|
||||
+++ b/policy/modules/services/mysql.te
|
||||
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
|
||||
@ -46740,7 +46750,7 @@ index 0a0d63c..8fcabd8 100644
|
||||
')
|
||||
|
||||
tunable_policy(`mysql_connect_any',`
|
||||
@@ -154,7 +158,7 @@ optional_policy(`
|
||||
@@ -154,10 +158,11 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
|
||||
@ -46749,7 +46759,11 @@ index 0a0d63c..8fcabd8 100644
|
||||
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
||||
@@ -170,26 +174,33 @@ kernel_read_system_state(mysqld_safe_t)
|
||||
+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
||||
|
||||
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
|
||||
|
||||
@@ -170,26 +175,33 @@ kernel_read_system_state(mysqld_safe_t)
|
||||
kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
|
||||
corecmd_exec_bin(mysqld_safe_t)
|
||||
@ -70011,10 +70025,10 @@ index 1a3d970..0995a02 100644
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
|
||||
index 354ce93..32b31b4 100644
|
||||
index 354ce93..4738083 100644
|
||||
--- a/policy/modules/system/init.fc
|
||||
+++ b/policy/modules/system/init.fc
|
||||
@@ -33,9 +33,23 @@ ifdef(`distro_gentoo', `
|
||||
@@ -33,6 +33,18 @@ ifdef(`distro_gentoo', `
|
||||
#
|
||||
# /sbin
|
||||
#
|
||||
@ -70033,12 +70047,7 @@ index 354ce93..32b31b4 100644
|
||||
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
|
||||
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
+# for Fedora
|
||||
+/lib/upstart/init -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
@@ -50,11 +64,23 @@ ifdef(`distro_gentoo', `
|
||||
@@ -50,11 +62,23 @@ ifdef(`distro_gentoo', `
|
||||
#
|
||||
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
|
||||
@ -70062,7 +70071,7 @@ index 354ce93..32b31b4 100644
|
||||
|
||||
#
|
||||
# /var
|
||||
@@ -76,3 +102,4 @@ ifdef(`distro_suse', `
|
||||
@@ -76,3 +100,4 @@ ifdef(`distro_suse', `
|
||||
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
')
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 65%{?dist}
|
||||
Release: 66%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -470,6 +470,9 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Dec 7 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-66
|
||||
- Fixes for xguest package
|
||||
|
||||
* Tue Dec 6 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-65
|
||||
- Fixes related to /bin, /sbin
|
||||
- Allow abrt to getattr on blk files
|
||||
|
||||
Loading…
Reference in New Issue
Block a user