- Allow groupd transition to fenced domain when executes fence_node
- Fixes for rchs policy - Allow mpd to be able to read samba/nfs files
This commit is contained in:
Miroslav Grepl
parent
ded1efb9d8
commit
5d168a352b
@ -24082,10 +24082,10 @@ index 0000000..311aaed
|
||||
+')
|
||||
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
|
||||
new file mode 100644
|
||||
index 0000000..68af4e8
|
||||
index 0000000..5391d10
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/mpd.te
|
||||
@@ -0,0 +1,111 @@
|
||||
@@ -0,0 +1,121 @@
|
||||
+policy_module(mpd, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -24184,6 +24184,16 @@ index 0000000..68af4e8
|
||||
+userdom_read_home_audio_files(mpd_t)
|
||||
+userdom_read_user_tmpfs_files(mpd_t)
|
||||
+
|
||||
+tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_read_cifs_files(mpd_t)
|
||||
+ fs_read_cifs_symlinks(mpd_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_read_nfs_files(mpd_t)
|
||||
+ fs_read_nfs_symlinks(mpd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(mpd_t)
|
||||
+')
|
||||
@ -30843,7 +30853,7 @@ index de37806..229a3c7 100644
|
||||
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
|
||||
index 93c896a..8d40ec9 100644
|
||||
index 93c896a..b6f0f45 100644
|
||||
--- a/policy/modules/services/rhcs.te
|
||||
+++ b/policy/modules/services/rhcs.te
|
||||
@@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0)
|
||||
@ -30876,7 +30886,7 @@ index 93c896a..8d40ec9 100644
|
||||
#####################################
|
||||
#
|
||||
# dlm_controld local policy
|
||||
@@ -55,17 +61,13 @@ fs_manage_configfs_dirs(dlm_controld_t)
|
||||
@@ -55,20 +61,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
|
||||
|
||||
init_rw_script_tmp_files(dlm_controld_t)
|
||||
|
||||
@ -30895,7 +30905,11 @@ index 93c896a..8d40ec9 100644
|
||||
|
||||
allow fenced_t self:tcp_socket create_stream_socket_perms;
|
||||
allow fenced_t self:udp_socket create_socket_perms;
|
||||
@@ -82,7 +84,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
|
||||
+allow fenced_t self:unix_stream_socket connectto;
|
||||
|
||||
can_exec(fenced_t, fenced_exec_t)
|
||||
|
||||
@@ -82,7 +85,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
|
||||
|
||||
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
||||
|
||||
@ -30906,7 +30920,7 @@ index 93c896a..8d40ec9 100644
|
||||
|
||||
corenet_tcp_connect_http_port(fenced_t)
|
||||
|
||||
@@ -104,9 +109,13 @@ tunable_policy(`fenced_can_network_connect',`
|
||||
@@ -104,9 +110,13 @@ tunable_policy(`fenced_can_network_connect',`
|
||||
corenet_tcp_connect_all_ports(fenced_t)
|
||||
')
|
||||
|
||||
@ -30921,7 +30935,7 @@ index 93c896a..8d40ec9 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -120,7 +129,6 @@ optional_policy(`
|
||||
@@ -120,7 +130,6 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow gfs_controld_t self:capability { net_admin sys_resource };
|
||||
@ -30929,7 +30943,7 @@ index 93c896a..8d40ec9 100644
|
||||
allow gfs_controld_t self:shm create_shm_perms;
|
||||
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
@@ -139,10 +147,6 @@ storage_getattr_removable_dev(gfs_controld_t)
|
||||
@@ -139,10 +148,6 @@ storage_getattr_removable_dev(gfs_controld_t)
|
||||
init_rw_script_tmp_files(gfs_controld_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -30940,15 +30954,19 @@ index 93c896a..8d40ec9 100644
|
||||
lvm_exec(gfs_controld_t)
|
||||
dev_rw_lvm_control(gfs_controld_t)
|
||||
')
|
||||
@@ -154,7 +158,6 @@ optional_policy(`
|
||||
@@ -154,9 +159,10 @@ optional_policy(`
|
||||
|
||||
allow groupd_t self:capability { sys_nice sys_resource };
|
||||
allow groupd_t self:process setsched;
|
||||
-
|
||||
allow groupd_t self:shm create_shm_perms;
|
||||
|
||||
+domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||
+
|
||||
dev_list_sysfs(groupd_t)
|
||||
@@ -168,8 +171,7 @@ init_rw_script_tmp_files(groupd_t)
|
||||
|
||||
files_read_etc_files(groupd_t)
|
||||
@@ -168,8 +174,7 @@ init_rw_script_tmp_files(groupd_t)
|
||||
# qdiskd local policy
|
||||
#
|
||||
|
||||
@ -30958,7 +30976,7 @@ index 93c896a..8d40ec9 100644
|
||||
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow qdiskd_t self:udp_socket create_socket_perms;
|
||||
|
||||
@@ -207,10 +209,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
@@ -207,10 +212,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
auth_use_nsswitch(qdiskd_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -30969,7 +30987,7 @@ index 93c896a..8d40ec9 100644
|
||||
netutils_domtrans_ping(qdiskd_t)
|
||||
')
|
||||
|
||||
@@ -223,18 +221,24 @@ optional_policy(`
|
||||
@@ -223,18 +224,24 @@ optional_policy(`
|
||||
# rhcs domains common policy
|
||||
#
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.8
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -471,6 +471,11 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Nov 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-4
|
||||
- Allow groupd transition to fenced domain when executes fence_node
|
||||
- Fixes for rchs policy
|
||||
- Allow mpd to be able to read samba/nfs files
|
||||
|
||||
* Tue Nov 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-3
|
||||
- Fix up corecommands.fc to match upstream
|
||||
- Make sure /lib/systemd/* is labeled init_exec_t
|
||||
|
||||
Loading…
Reference in New Issue
Block a user