Make sure content created in the homedir by uncnfined domains get created with the corect label. specifically /.readahead

2012-08-08 11:20:07 -04:00 · 2012-08-08 11:20:07 -04:00 · 5991fc8049
parent e88478c88d
commit 5991fc8049
3 changed files with 187 additions and 144 deletions
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@ -47944,10 +47944,10 @@ index 0000000..48ea717
 +')
 diff --git a/realmd.te b/realmd.te
 new file mode 100644
-index 0000000..3f5f701
+index 0000000..314e17e
 --- /dev/null
 +++ b/realmd.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,44 @@
 +policy_module(realmd, 1.0.0)
 +
 +########################################
@ -47958,7 +47958,6 @@ index 0000000..3f5f701
 +type realmd_t;
 +type realmd_exec_t;
 +application_domain(realmd_t, realmd_exec_t)
 +role system_r types realmd_t;
 +
 +########################################
 +#
@ -52468,20 +52467,19 @@ index 905883f..564240d 100644
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
 ')
 diff --git a/sambagui.te b/sambagui.te
-index 1898dbd..eec2a5a 100644
+index 1898dbd..43fcb73 100644
 --- a/sambagui.te
 +++ b/sambagui.te
-@@ -7,7 +7,8 @@ policy_module(sambagui, 1.1.0)
+@@ -7,7 +7,7 @@ policy_module(sambagui, 1.1.0)
 type sambagui_t;
 type sambagui_exec_t;
 -dbus_system_domain(sambagui_t, sambagui_exec_t)
 +application_domain(sambagui_t, sambagui_exec_t)
 +role system_r types sambagui_t;
 ########################################
 #
-@@ -27,21 +28,30 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,21 +27,30 @@ corecmd_exec_bin(sambagui_t)
 dev_dontaudit_read_urand(sambagui_t)
@ -52513,7 +52511,7 @@ index 1898dbd..eec2a5a 100644
 	nscd_dontaudit_search_pid(sambagui_t)
 ')
-@@ -56,6 +66,7 @@ optional_policy(`
+@@ -56,6 +65,7 @@ optional_policy(`
 	samba_manage_var_files(sambagui_t)
 	samba_read_secrets(sambagui_t)
 	samba_initrc_domtrans(sambagui_t)
@ -63450,7 +63448,7 @@ index 0000000..14c5c0a
 +
 +miscfiles_read_localization(wdmd_t)
 diff --git a/webadm.te b/webadm.te
-index 0ecc786..e0f21c3 100644
+index 0ecc786..3e7e984 100644
 --- a/webadm.te
 +++ b/webadm.te
@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
@ -63462,6 +63460,14 @@ index 0ecc786..e0f21c3 100644
 files_dontaudit_search_all_dirs(webadm_t)
 files_manage_generic_locks(webadm_t)
@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
 seutil_domtrans_setfiles(webadm_t)
 logging_send_syslog_msg(webadm_t)
 +logging_send_audit_msgs(webadm_t)
 userdom_dontaudit_search_user_home_dirs(webadm_t)
 diff --git a/webalizer.te b/webalizer.te
 index 32b4f76..ea008d8 100644
 --- a/webalizer.te
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 3%{?dist}
+Release: 3.1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -491,6 +491,9 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Aug 8 2012 Dan Walsh <dwalshl@redhat.com> 3.11.1-3.1
 - Update with fixes for SECure linux containers
 * Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-3
 - Add role rules for realmd, sambagui