gentoo testing fixes.

This commit is contained in:
Chris PeBenito 2006-10-13 21:44:02 +00:00
parent 8a2492a2df
commit 14b1684aae
7 changed files with 21 additions and 11 deletions

View File

@ -173,6 +173,7 @@ interface(`portage_compile_domain',`
dev_read_urand($1) dev_read_urand($1)
domain_use_interactive_fds($1) domain_use_interactive_fds($1)
domain_dontaudit_read_all_domains_state($1)
files_exec_etc_files($1) files_exec_etc_files($1)
files_exec_usr_src_files($1) files_exec_usr_src_files($1)
@ -222,8 +223,7 @@ interface(`portage_compile_domain',`
# #
interface(`portage_fetch_domain',` interface(`portage_fetch_domain',`
allow $1 self:capability dac_override; allow $1 self:capability { dac_override fowner fsetid };
dontaudit $1 self:capability { fowner fsetid };
allow $1 self:process signal; allow $1 self:process signal;
allow $1 self:unix_stream_socket create_socket_perms; allow $1 self:unix_stream_socket create_socket_perms;
allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:tcp_socket create_stream_socket_perms;

View File

@ -1,5 +1,5 @@
policy_module(portage,1.0.5) policy_module(portage,1.0.6)
######################################## ########################################
# #
@ -151,7 +151,7 @@ portage_main_domain(portage_t.merge)
# if sesandbox is disabled, compiling is performed in this domain # if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t.merge) portage_compile_domain(portage_t.merge)
allow portage_t.merge portage_t.fetch:process signal; allow portage_t.merge { portage_t.fetch portage_t.sandbox }:process signal;
# transition for rsync and wget # transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch) corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)

View File

@ -24,6 +24,12 @@
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/cron/[^/]* -- <<none>> /var/spool/cron/[^/]* -- <<none>>
ifdef(`distro_gentoo',`
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
')
ifdef(`distro_suse', ` ifdef(`distro_suse', `
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>> /var/spool/cron/lastrun/[^/]* -- <<none>>

View File

@ -1,5 +1,5 @@
policy_module(cron,1.3.15) policy_module(cron,1.3.16)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;
@ -287,12 +287,13 @@ ifdef(`targeted_policy',`
files_lock_filetrans(system_crond_t,system_crond_lock_t,file) files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
# write temporary files # write temporary files
allow system_crond_t system_crond_tmp_t:file create_file_perms; allow system_crond_t system_crond_tmp_t:file manage_file_perms;
allow system_crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
# write temporary files in crond tmp dir: # write temporary files in crond tmp dir:
allow system_crond_t crond_tmp_t:dir rw_dir_perms; allow system_crond_t crond_tmp_t:dir rw_dir_perms;
type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t; type_transition system_crond_t crond_tmp_t:{ file lnk_file } system_crond_tmp_t;
# Read from /var/spool/cron. # Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir r_dir_perms; allow system_crond_t cron_spool_t:dir r_dir_perms;

View File

@ -26,10 +26,12 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0) /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(logging,1.3.13) policy_module(logging,1.3.14)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(modutils,1.1.6) policy_module(modutils,1.1.7)
gen_require(` gen_require(`
bool secure_mode_insmod; bool secure_mode_insmod;
@ -278,6 +278,7 @@ userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
files_search_pids(update_modules_t) files_search_pids(update_modules_t)
files_getattr_usr_src_files(update_modules_t) files_getattr_usr_src_files(update_modules_t)
files_list_isid_type_dirs(update_modules_t) # /var
optional_policy(` optional_policy(`
consoletype_exec(update_modules_t) consoletype_exec(update_modules_t)