fixes for gentoo
This commit is contained in:
Chris PeBenito
parent
5f4b5698c1
commit
46fc46cfdd
@ -35,11 +35,8 @@ ifdef(`distro_suse',`
|
||||
#
|
||||
# /emul
|
||||
#
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/emul -d gen_context(system_u:object_r:usr_t,s0)
|
||||
/emul/.* gen_context(system_u:object_r:usr_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
# /etc
|
||||
|
||||
@ -3,5 +3,8 @@
|
||||
|
||||
/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
|
||||
|
||||
/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
|
||||
/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
|
||||
/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
|
||||
|
||||
/var/run/cpufreqd.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cpucontrol,1.0.0)
|
||||
policy_module(cpucontrol,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -17,6 +17,9 @@ type cpuspeed_t;
|
||||
type cpuspeed_exec_t;
|
||||
init_system_domain(cpuspeed_t,cpuspeed_exec_t)
|
||||
|
||||
type cpuspeed_var_run_t;
|
||||
files_pid_file(cpuspeed_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# CPU microcode loader local policy
|
||||
@ -82,21 +85,26 @@ dontaudit cpuspeed_t self:capability sys_tty_config;
|
||||
allow cpuspeed_t self:process { signal_perms setsched };
|
||||
allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(cpuspeed_t,cpuspeed_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(cpuspeed_t)
|
||||
kernel_read_kernel_sysctls(cpuspeed_t)
|
||||
|
||||
dev_rw_sysfs(cpuspeed_t)
|
||||
|
||||
fs_search_auto_mountpoints(cpuspeed_t)
|
||||
|
||||
term_dontaudit_use_console(cpuspeed_t)
|
||||
|
||||
domain_use_interactive_fds(cpuspeed_t)
|
||||
# for demand/load-based scaling:
|
||||
domain_read_all_domains_state(cpuspeed_t)
|
||||
|
||||
files_read_etc_files(cpuspeed_t)
|
||||
files_read_etc_runtime_files(cpuspeed_t)
|
||||
files_list_usr(cpuspeed_t)
|
||||
|
||||
fs_search_auto_mountpoints(cpuspeed_t)
|
||||
|
||||
term_dontaudit_use_console(cpuspeed_t)
|
||||
|
||||
init_use_fds(cpuspeed_t)
|
||||
init_use_script_ptys(cpuspeed_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(privoxy,1.1.1)
|
||||
policy_module(privoxy,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -42,12 +42,11 @@ kernel_read_kernel_sysctls(privoxy_t)
|
||||
kernel_list_proc(privoxy_t)
|
||||
kernel_read_proc_symlinks(privoxy_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(privoxy_t)
|
||||
corenet_raw_sendrecv_all_if(privoxy_t)
|
||||
corenet_tcp_sendrecv_all_nodes(privoxy_t)
|
||||
corenet_raw_sendrecv_all_nodes(privoxy_t)
|
||||
corenet_tcp_sendrecv_all_ports(privoxy_t)
|
||||
corenet_non_ipsec_sendrecv(privoxy_t)
|
||||
corenet_tcp_sendrecv_all_if(privoxy_t)
|
||||
corenet_tcp_sendrecv_all_nodes(privoxy_t)
|
||||
corenet_tcp_sendrecv_all_ports(privoxy_t)
|
||||
corenet_tcp_bind_all_nodes(privoxy_t)
|
||||
corenet_tcp_bind_http_cache_port(privoxy_t)
|
||||
corenet_tcp_connect_http_port(privoxy_t)
|
||||
corenet_tcp_connect_http_cache_port(privoxy_t)
|
||||
|
||||
@ -97,7 +97,7 @@ ifdef(`distro_debian', `
|
||||
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
|
||||
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
|
||||
ifdef(`distro_suse',`
|
||||
|
||||
@ -230,16 +230,16 @@ ifdef(`strict_policy',`
|
||||
allow xdm_t xdm_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(xdm_t,xdm_lock_t,file)
|
||||
|
||||
allow xdm_t xdm_tmp_t:dir create_dir_perms;
|
||||
allow xdm_t xdm_tmp_t:file create_file_perms;
|
||||
allow xdm_t xdm_tmp_t:file create_file_perms;
|
||||
allow xdm_t xdm_tmp_t:dir manage_dir_perms;
|
||||
allow xdm_t xdm_tmp_t:file manage_file_perms;
|
||||
allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
|
||||
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
||||
|
||||
allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
|
||||
allow xdm_t xdm_tmpfs_t:file manage_file_perms;
|
||||
allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow xdm_t xdm_tmpfs_t:sock_file manage_file_perms;
|
||||
allow xdm_t xdm_tmpfs_t:fifo_file manage_file_perms;
|
||||
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow xdm_t xdm_var_lib_t:file create_file_perms;
|
||||
@ -247,8 +247,9 @@ ifdef(`strict_policy',`
|
||||
files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
|
||||
|
||||
allow xdm_t xdm_var_run_t:dir manage_dir_perms;
|
||||
allow xdm_t xdm_var_run_t:file manage_file_perms;
|
||||
allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
|
||||
files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir fifo_file })
|
||||
files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
|
||||
|
||||
allow xdm_t xdm_xserver_t:process signal;
|
||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
@ -311,6 +312,8 @@ ifdef(`targeted_policy',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
unconfined_domain(xdm_t)
|
||||
unconfined_domtrans(xdm_t)
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
|
||||
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
@ -383,7 +386,7 @@ optional_policy(`
|
||||
# XDM Xserver local policy
|
||||
#
|
||||
|
||||
allow xdm_xserver_t xdm_t:process signal;
|
||||
allow xdm_xserver_t xdm_t:process { signal getpgid };
|
||||
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
|
||||
@ -1,6 +1,14 @@
|
||||
#
|
||||
# /emul
|
||||
#
|
||||
ifdef(`distro_gentoo',`
|
||||
/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/emul/linux/x86/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/emul/linux/x86/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/emul/linux/x86/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
@ -29,6 +37,12 @@ ifdef(`distro_redhat',`
|
||||
/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/lib32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
# /opt
|
||||
#
|
||||
|
||||
@ -1,3 +1,10 @@
|
||||
#
|
||||
# /emul
|
||||
#
|
||||
ifdef(`distro_gentoo',`
|
||||
/emul/linux/x86/usr/(X11R6/)?lib/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
# /etc
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user