rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow xdm to create user_tmp_t sockets for switch user to work

Browse Source
This commit is contained in:
Daniel J Walsh 2009-02-09 14:23:24 +00:00
parent 598de2dbc3
commit 4ed140a4b7
2 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
policy-20090105.patch
View File

@ -3430,12 +3430,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_system_bus_client(podsleuth_t) dbus_system_bus_client(podsleuth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.4/policy/modules/apps/qemu.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.4/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400
+++ serefpolicy-3.6.4/policy/modules/apps/qemu.fc 2009-02-03 22:57:29.000000000 -0500 +++ serefpolicy-3.6.4/policy/modules/apps/qemu.fc 2009-02-09 09:21:47.000000000 -0500
@@ -1,2 +1,4 @@ @@ -1,2 +1,6 @@
/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+ +
+/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0) +/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0)
+
+/var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.4/policy/modules/apps/qemu.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.4/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/apps/qemu.if 2009-02-03 22:57:29.000000000 -0500 +++ serefpolicy-3.6.4/policy/modules/apps/qemu.if 2009-02-03 22:57:29.000000000 -0500
@ -3764,7 +3766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.4/policy/modules/apps/qemu.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.4/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/apps/qemu.te 2009-02-03 22:57:29.000000000 -0500 +++ serefpolicy-3.6.4/policy/modules/apps/qemu.te 2009-02-09 09:22:15.000000000 -0500
@@ -6,6 +6,8 @@ @@ -6,6 +6,8 @@
# Declarations # Declarations
# #
@ -3774,7 +3776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <desc> ## <desc>
## <p> ## <p>
## Allow qemu to connect fully to the network ## Allow qemu to connect fully to the network
@@ -13,28 +15,154 @@ @@ -13,28 +15,160 @@
## </desc> ## </desc>
gen_tunable(qemu_full_network, false) gen_tunable(qemu_full_network, false)
@ -3807,6 +3809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+type qemu_cache_t; +type qemu_cache_t;
+files_type(qemu_cache_t) +files_type(qemu_cache_t)
+ +
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t)
+
+######################################## +########################################
+# +#
+# qemu common policy +# qemu common policy
@ -3823,6 +3828,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t) +manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
+files_var_filetrans(qemu_t, qemu_cache_t, { file dir }) +files_var_filetrans(qemu_t, qemu_cache_t, { file dir })
+ +
+manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(qemu_t, qemu_var_run_t, file)
+
+kernel_read_system_state(qemutype) +kernel_read_system_state(qemutype)
+ +
+corenet_all_recvfrom_unlabeled(qemutype) +corenet_all_recvfrom_unlabeled(qemutype)

5
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.4 Version: 3.6.4
Release: 4%{?dist} Release: 5%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -444,6 +444,9 @@ exit 0
%endif %endif
%changelog %changelog
* Sun Feb 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-5
- Allow xdm to create user_tmp_t sockets for switch user to work
* Thu Feb 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-4 * Thu Feb 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-4
- Fix staff_t domain - Fix staff_t domain