- Fixes for xguest package
This commit is contained in:
Miroslav
parent
e91d876567
commit
1094d02fe9
@ -584,7 +584,7 @@ index 0bfc958..af95b7a 100644
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_system_entry(backup_t, backup_exec_t)
|
cron_system_entry(backup_t, backup_exec_t)
|
||||||
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
|
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
|
||||||
index 7a6f06f..39f1adf 100644
|
index 7a6f06f..3cf6457 100644
|
||||||
--- a/policy/modules/admin/bootloader.fc
|
--- a/policy/modules/admin/bootloader.fc
|
||||||
+++ b/policy/modules/admin/bootloader.fc
|
+++ b/policy/modules/admin/bootloader.fc
|
||||||
@@ -1,9 +1,11 @@
|
@@ -1,9 +1,11 @@
|
||||||
@ -600,7 +600,7 @@ index 7a6f06f..39f1adf 100644
|
|||||||
|
|
||||||
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
+/sur/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
+/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
|
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
|
||||||
index 63eb96b..d7a6063 100644
|
index 63eb96b..d7a6063 100644
|
||||||
@ -4322,7 +4322,7 @@ index 81fb26f..66cf96c 100644
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||||
index 441cf22..6bcfc8c 100644
|
index 441cf22..a2987d7 100644
|
||||||
--- a/policy/modules/admin/usermanage.te
|
--- a/policy/modules/admin/usermanage.te
|
||||||
+++ b/policy/modules/admin/usermanage.te
|
+++ b/policy/modules/admin/usermanage.te
|
||||||
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
|
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
|
||||||
@ -4522,17 +4522,23 @@ index 441cf22..6bcfc8c 100644
|
|||||||
files_search_var_lib(useradd_t)
|
files_search_var_lib(useradd_t)
|
||||||
files_relabel_etc_files(useradd_t)
|
files_relabel_etc_files(useradd_t)
|
||||||
files_read_etc_runtime_files(useradd_t)
|
files_read_etc_runtime_files(useradd_t)
|
||||||
@@ -460,6 +477,7 @@ fs_search_auto_mountpoints(useradd_t)
|
@@ -460,17 +477,15 @@ fs_search_auto_mountpoints(useradd_t)
|
||||||
fs_getattr_xattr_fs(useradd_t)
|
fs_getattr_xattr_fs(useradd_t)
|
||||||
|
|
||||||
mls_file_upgrade(useradd_t)
|
mls_file_upgrade(useradd_t)
|
||||||
+mls_process_read_to_clearance(useradd_t)
|
+mls_process_read_to_clearance(useradd_t)
|
||||||
|
|
||||||
# Allow access to context for shadow file
|
-# Allow access to context for shadow file
|
||||||
selinux_get_fs_mount(useradd_t)
|
-selinux_get_fs_mount(useradd_t)
|
||||||
@@ -469,8 +487,8 @@ selinux_compute_create_context(useradd_t)
|
-selinux_validate_context(useradd_t)
|
||||||
selinux_compute_relabel_context(useradd_t)
|
-selinux_compute_access_vector(useradd_t)
|
||||||
selinux_compute_user_contexts(useradd_t)
|
-selinux_compute_create_context(useradd_t)
|
||||||
|
-selinux_compute_relabel_context(useradd_t)
|
||||||
|
-selinux_compute_user_contexts(useradd_t)
|
||||||
|
+seutil_semanage_policy(useradd_t)
|
||||||
|
+seutil_manage_file_contexts(useradd_t)
|
||||||
|
+seutil_manage_config(useradd_t)
|
||||||
|
+seutil_manage_default_contexts(useradd_t)
|
||||||
|
|
||||||
-term_use_all_ttys(useradd_t)
|
-term_use_all_ttys(useradd_t)
|
||||||
-term_use_all_ptys(useradd_t)
|
-term_use_all_ptys(useradd_t)
|
||||||
@ -4541,7 +4547,7 @@ index 441cf22..6bcfc8c 100644
|
|||||||
|
|
||||||
auth_domtrans_chk_passwd(useradd_t)
|
auth_domtrans_chk_passwd(useradd_t)
|
||||||
auth_rw_lastlog(useradd_t)
|
auth_rw_lastlog(useradd_t)
|
||||||
@@ -478,6 +496,7 @@ auth_rw_faillog(useradd_t)
|
@@ -478,6 +493,7 @@ auth_rw_faillog(useradd_t)
|
||||||
auth_use_nsswitch(useradd_t)
|
auth_use_nsswitch(useradd_t)
|
||||||
# these may be unnecessary due to the above
|
# these may be unnecessary due to the above
|
||||||
# domtrans_chk_passwd() call.
|
# domtrans_chk_passwd() call.
|
||||||
@ -4549,7 +4555,7 @@ index 441cf22..6bcfc8c 100644
|
|||||||
auth_manage_shadow(useradd_t)
|
auth_manage_shadow(useradd_t)
|
||||||
auth_relabel_shadow(useradd_t)
|
auth_relabel_shadow(useradd_t)
|
||||||
auth_etc_filetrans_shadow(useradd_t)
|
auth_etc_filetrans_shadow(useradd_t)
|
||||||
@@ -495,24 +514,19 @@ seutil_read_file_contexts(useradd_t)
|
@@ -495,24 +511,19 @@ seutil_read_file_contexts(useradd_t)
|
||||||
seutil_read_default_contexts(useradd_t)
|
seutil_read_default_contexts(useradd_t)
|
||||||
seutil_domtrans_semanage(useradd_t)
|
seutil_domtrans_semanage(useradd_t)
|
||||||
seutil_domtrans_setfiles(useradd_t)
|
seutil_domtrans_setfiles(useradd_t)
|
||||||
@ -22966,10 +22972,10 @@ index 0000000..bac0dc0
|
|||||||
+
|
+
|
||||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..90af157
|
index 0000000..692ef0d
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/roles/unconfineduser.te
|
+++ b/policy/modules/roles/unconfineduser.te
|
||||||
@@ -0,0 +1,379 @@
|
@@ -0,0 +1,383 @@
|
||||||
+policy_module(unconfineduser, 1.0.0)
|
+policy_module(unconfineduser, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -23323,6 +23329,10 @@ index 0000000..90af157
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ usermanage_run_useradd(unconfined_t, unconfined_r)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ vbetool_run(unconfined_t, unconfined_r)
|
+ vbetool_run(unconfined_t, unconfined_r)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -46681,7 +46691,7 @@ index e9c0982..ac7e846 100644
|
|||||||
+ mysql_stream_connect($1)
|
+ mysql_stream_connect($1)
|
||||||
')
|
')
|
||||||
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
|
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
|
||||||
index 0a0d63c..8fcabd8 100644
|
index 0a0d63c..2f51d5a 100644
|
||||||
--- a/policy/modules/services/mysql.te
|
--- a/policy/modules/services/mysql.te
|
||||||
+++ b/policy/modules/services/mysql.te
|
+++ b/policy/modules/services/mysql.te
|
||||||
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
|
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
|
||||||
@ -46740,7 +46750,7 @@ index 0a0d63c..8fcabd8 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`mysql_connect_any',`
|
tunable_policy(`mysql_connect_any',`
|
||||||
@@ -154,7 +158,7 @@ optional_policy(`
|
@@ -154,10 +158,11 @@ optional_policy(`
|
||||||
#
|
#
|
||||||
|
|
||||||
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
|
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
|
||||||
@ -46749,7 +46759,11 @@ index 0a0d63c..8fcabd8 100644
|
|||||||
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
||||||
@@ -170,26 +174,33 @@ kernel_read_system_state(mysqld_safe_t)
|
+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
||||||
|
|
||||||
|
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
|
||||||
|
|
||||||
|
@@ -170,26 +175,33 @@ kernel_read_system_state(mysqld_safe_t)
|
||||||
kernel_read_kernel_sysctls(mysqld_safe_t)
|
kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||||
|
|
||||||
corecmd_exec_bin(mysqld_safe_t)
|
corecmd_exec_bin(mysqld_safe_t)
|
||||||
@ -70011,10 +70025,10 @@ index 1a3d970..0995a02 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
|
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
|
||||||
index 354ce93..32b31b4 100644
|
index 354ce93..4738083 100644
|
||||||
--- a/policy/modules/system/init.fc
|
--- a/policy/modules/system/init.fc
|
||||||
+++ b/policy/modules/system/init.fc
|
+++ b/policy/modules/system/init.fc
|
||||||
@@ -33,9 +33,23 @@ ifdef(`distro_gentoo', `
|
@@ -33,6 +33,18 @@ ifdef(`distro_gentoo', `
|
||||||
#
|
#
|
||||||
# /sbin
|
# /sbin
|
||||||
#
|
#
|
||||||
@ -70033,12 +70047,7 @@ index 354ce93..32b31b4 100644
|
|||||||
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
|
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||||
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
|
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
|
||||||
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
|
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||||
+# for Fedora
|
@@ -50,11 +62,23 @@ ifdef(`distro_gentoo', `
|
||||||
+/lib/upstart/init -- gen_context(system_u:object_r:init_exec_t,s0)
|
|
||||||
|
|
||||||
ifdef(`distro_gentoo', `
|
|
||||||
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
|
||||||
@@ -50,11 +64,23 @@ ifdef(`distro_gentoo', `
|
|
||||||
#
|
#
|
||||||
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||||
|
|
||||||
@ -70062,7 +70071,7 @@ index 354ce93..32b31b4 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
@@ -76,3 +102,4 @@ ifdef(`distro_suse', `
|
@@ -76,3 +100,4 @@ ifdef(`distro_suse', `
|
||||||
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||||
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
|
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||||
')
|
')
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.10.0
|
||||||
Release: 65%{?dist}
|
Release: 66%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -470,6 +470,9 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 7 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-66
|
||||||
|
- Fixes for xguest package
|
||||||
|
|
||||||
* Tue Dec 6 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-65
|
* Tue Dec 6 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-65
|
||||||
- Fixes related to /bin, /sbin
|
- Fixes related to /bin, /sbin
|
||||||
- Allow abrt to getattr on blk files
|
- Allow abrt to getattr on blk files
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user