Fixes for f14

This commit is contained in:
Dan Walsh 2010-08-26 15:29:37 -04:00
parent 46c24a359b
commit 4765a595e8
10 changed files with 86 additions and 0 deletions

View File

@ -21,3 +21,21 @@ interface(`firewallgui_dbus_chat',`
allow $1 firewallgui_t:dbus send_msg;
allow firewallgui_t $1:dbus send_msg;
')
########################################
## <summary>
## Read and write firewallgui unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`firewallgui_dontaudit_rw_pipes',`
gen_require(`
type firewallgui_t;
')
dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
')

View File

@ -10,6 +10,7 @@
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)

View File

@ -1442,6 +1442,24 @@ interface(`files_dontaudit_search_all_mountpoints',`
dontaudit $1 mountpoint:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit listing of all mount points.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`files_dontaudit_list_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:dir list_dir_perms;
')
########################################
## <summary>
## Write all mount points.
@ -3840,6 +3858,24 @@ interface(`files_relabelto_system_conf_files',`
relabelto_files_pattern($1, system_conf_t, system_conf_t)
')
######################################
## <summary>
## Relabel manageable system configuration files in /etc.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_relabelfrom_system_conf_files',`
gen_require(`
type usr_t;
')
relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
')
###################################
## <summary>
## Create files in /etc with the type used for

View File

@ -144,6 +144,7 @@ corecmd_exec_shell(boinc_project_t)
corenet_tcp_connect_boinc_port(boinc_project_t)
dev_read_urand(boinc_project_t)
dev_rw_xserver_misc(boinc_project_t)
files_read_etc_files(boinc_project_t)

View File

@ -130,6 +130,7 @@ optional_policy(`
')
optional_policy(`
samba_domtrans_winbind_helper(radiusd_t)
samba_read_var_files(radiusd_t)
')

View File

@ -341,6 +341,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
files_dontaudit_list_all_mountpoints(smbd_t)
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)

View File

@ -450,6 +450,24 @@ interface(`virt_read_images',`
')
')
########################################
## <summary>
## Allow domain to read virt blk image files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_read_blk_images',`
gen_require(`
attribute virt_image_type;
')
read_blk_files_pattern($1, virt_image_type, virt_image_type)
')
########################################
## <summary>
## Create, read, write, and delete

View File

@ -288,6 +288,8 @@ files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_read_kernel_modules(virtd_t)
files_read_usr_src_files(virtd_t)
files_relabelto_system_conf_files(virtd_t)
files_relabelfrom_system_conf_files(virtd_t)
# Manages /etc/sysconfig/system-config-firewall
files_manage_system_conf_files(virtd_t)

View File

@ -189,6 +189,10 @@ optional_policy(`
rhgb_stub(fsadm_t)
')
optional_policy(`
virt_read_blk_images(fsadm_t)
')
optional_policy(`
xen_append_log(fsadm_t)
xen_rw_image_files(fsadm_t)

View File

@ -203,6 +203,10 @@ optional_policy(`
firstboot_dontaudit_rw_stream_sockets(insmod_t)
')
optional_policy(`
firewallgui_dontaudit_rw_pipes(insmod_t)
')
optional_policy(`
hal_write_log(insmod_t)
')