rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121

Browse Source 
- Allow kmscon to read system state. BZ (1206871)
- Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
This commit is contained in:
Lukas Vrabec 2015-03-30 20:13:54 +02:00
parent 734dd8ae6f
commit 5852f33770
3 changed files with 169 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

275
policy-rawhide-base.patch
View File

File diff suppressed because it is too large Load Diff

37
policy-rawhide-contrib.patch
View File

@ -6,19 +6,21 @@ index 0000000..bea5755
@@ -0,0 +1 @@
+TAGS
diff --git a/abrt.fc b/abrt.fc
index 1a93dc5..f2b26f5 100644
index 1a93dc5..7a7d67e 100644
--- a/abrt.fc
+++ b/abrt.fc
@@ -1,31 +1,46 @@
@@ -1,31 +1,48 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+HOME_DIR/\.config/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
@ -7809,7 +7811,7 @@ index 1a7a97e..2c7252a 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
index 7fd431b..5ce1846 100644
index 7fd431b..e9c4c5a 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
@ -7838,11 +7840,13 @@ index 7fd431b..5ce1846 100644
domain_use_interactive_fds(apm_t)
@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t)
# Server local policy
#
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
@ -40233,10 +40237,10 @@ index 0000000..b9347fa
+')
diff --git a/kmscon.te b/kmscon.te
new file mode 100644
index 0000000..be3d5d6
index 0000000..32a9e13
--- /dev/null
+++ b/kmscon.te
@@ -0,0 +1,86 @@
@@ -0,0 +1,88 @@
+# KMSCon SELinux policy module
+# Contributed by Lubomir Rintel <lkundrak@v3.sk>
+
@ -40280,6 +40284,8 @@ index 0000000..be3d5d6
+list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+
+kernel_read_system_state(kmscon_t)
+
+auth_read_passwd(kmscon_t)
+
+dev_rw_dri(kmscon_t)
@ -66883,7 +66889,7 @@ index 30e751f..61feb3a 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
index 3078ce9..18872dc 100644
index 3078ce9..c57d1cf 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
@ -66923,7 +66929,7 @@ index 3078ce9..18872dc 100644
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t)
@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
@ -66933,15 +66939,16 @@ index 3078ce9..18872dc 100644
term_getattr_pty_fs(plymouthd_t)
term_use_all_terms(plymouthd_t)
term_use_ptmx(plymouthd_t)
-miscfiles_read_localization(plymouthd_t)
+term_use_usb_ttys(plymouthd_t)
+
+init_signal(plymouthd_t)
+
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
+auth_use_nsswitch(plymouthd_t)
+
-miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
@ -66955,7 +66962,7 @@ index 3078ce9..18872dc 100644
')
optional_policy(`
@@ -90,35 +96,37 @@ optional_policy(`
@@ -90,35 +97,37 @@ optional_policy(`
')
optional_policy(`

7
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 120%{?dist}
Release: 121%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -602,6 +602,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
- Allow kmscon to read system state. BZ (1206871)
- Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
* Mon Mar 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-120
- Allow mysqld_t to use pam. BZ(1196104)
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)