- Fix new usb devices and dmfm
This commit is contained in:
Daniel J Walsh
parent
6d2e7d5ebb
commit
8239a93362
|
|
@ -2356,8 +2356,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.4/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-06-15 14:54:30.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/devices.fc 2007-07-31 13:38:24.000000000 -0400
|
||||
@@ -19,6 +19,7 @@
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/devices.fc 2007-08-01 10:54:59.000000000 -0400
|
||||
@@ -12,6 +12,7 @@
|
||||
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
+/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
@@ -19,6 +20,7 @@
|
||||
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
|
||||
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
|
|
@ -2365,7 +2373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
|||
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
@@ -53,7 +54,7 @@
|
||||
@@ -53,7 +55,7 @@
|
||||
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
|
|
@ -2374,15 +2382,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
|||
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
@@ -65,6 +66,7 @@
|
||||
@@ -64,7 +66,9 @@
|
||||
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
|
||||
+/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
+/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
ifdef(`distro_suse', `
|
||||
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
@@ -127,3 +129,7 @@
|
||||
@@ -127,3 +131,7 @@
|
||||
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||
')
|
||||
|
|
@ -2392,7 +2402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.4/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-06-15 14:54:30.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/devices.if 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/devices.if 2007-08-01 10:56:52.000000000 -0400
|
||||
@@ -2803,6 +2803,24 @@
|
||||
|
||||
########################################
|
||||
|
|
@ -2820,7 +2830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
|||
# filesystem SID to label inodes in the following filesystem types,
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.4/policy/modules/kernel/kernel.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/kernel.if 2007-07-31 16:22:36.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/kernel/kernel.if 2007-08-01 11:26:14.000000000 -0400
|
||||
@@ -108,6 +108,24 @@
|
||||
|
||||
########################################
|
||||
|
|
@ -4152,10 +4162,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
|
|||
+optional_policy(`
|
||||
+ xserver_stream_connect_xdm(bluetooth_helper_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.4/policy/modules/services/clamav.fc
|
||||
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-05-29 14:10:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/clamav.fc 2007-08-01 11:30:09.000000000 -0400
|
||||
@@ -9,6 +9,8 @@
|
||||
|
||||
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
|
||||
/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
|
||||
+/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
|
||||
+/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
|
||||
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
|
||||
/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.4/policy/modules/services/clamav.te
|
||||
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/clamav.te 2007-07-25 13:27:51.000000000 -0400
|
||||
@@ -208,9 +208,12 @@
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/clamav.te 2007-08-01 11:29:41.000000000 -0400
|
||||
@@ -74,17 +74,19 @@
|
||||
manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
|
||||
|
||||
# log files
|
||||
-allow clamd_t clamd_var_log_t:dir setattr;
|
||||
+manage_dirs_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
|
||||
manage_files_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
|
||||
-logging_log_filetrans(clamd_t,clamd_var_log_t,file)
|
||||
+logging_log_filetrans(clamd_t,clamd_var_log_t,{ dir file })
|
||||
|
||||
# pid file
|
||||
+manage_dirs_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
|
||||
manage_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
|
||||
manage_sock_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
|
||||
-files_pid_filetrans(clamd_t,clamd_var_run_t,file)
|
||||
+files_pid_filetrans(clamd_t,clamd_var_run_t,{ file dir })
|
||||
|
||||
kernel_dontaudit_list_proc(clamd_t)
|
||||
kernel_read_sysctl(clamd_t)
|
||||
+kernel_read_kernel_sysctls(clamd_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(clamd_t)
|
||||
corenet_all_recvfrom_netlabel(clamd_t)
|
||||
@@ -208,9 +210,12 @@
|
||||
files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
|
||||
|
||||
# var/lib files together with clamd
|
||||
|
|
@ -4169,7 +4214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
|
|||
kernel_read_kernel_sysctls(clamscan_t)
|
||||
|
||||
files_read_etc_files(clamscan_t)
|
||||
@@ -228,3 +231,7 @@
|
||||
@@ -228,3 +233,7 @@
|
||||
optional_policy(`
|
||||
apache_read_sys_content(clamscan_t)
|
||||
')
|
||||
|
|
@ -6791,8 +6836,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
fs_search_auto_mountpoints($1_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.4/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-31 14:16:40.000000000 -0400
|
||||
@@ -59,10 +59,13 @@
|
||||
+++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-08-01 11:35:43.000000000 -0400
|
||||
@@ -59,10 +59,14 @@
|
||||
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
|
||||
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
|
||||
|
||||
|
|
@ -6802,11 +6847,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
kernel_search_network_state(rpcd_t)
|
||||
# for rpc.rquotad
|
||||
kernel_read_sysctl(rpcd_t)
|
||||
+kernel_read_fs_sysctl(rpcd_t)
|
||||
+kernel_getattr_core_if(nfsd_t)
|
||||
|
||||
fs_list_rpc(rpcd_t)
|
||||
fs_read_rpc_files(rpcd_t)
|
||||
@@ -76,9 +79,11 @@
|
||||
@@ -76,9 +80,11 @@
|
||||
miscfiles_read_certs(rpcd_t)
|
||||
|
||||
seutil_dontaudit_search_config(rpcd_t)
|
||||
|
|
@ -6818,7 +6864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -91,9 +96,13 @@
|
||||
@@ -91,9 +97,13 @@
|
||||
allow nfsd_t exports_t:file { getattr read };
|
||||
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
||||
|
||||
|
|
@ -6832,7 +6878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
|
||||
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
||||
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
||||
@@ -123,6 +132,7 @@
|
||||
@@ -123,6 +133,7 @@
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
|
|
@ -6840,7 +6886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -143,6 +153,8 @@
|
||||
@@ -143,6 +154,8 @@
|
||||
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
|
||||
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
||||
|
||||
|
|
@ -6849,7 +6895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
|||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
kernel_search_network_sysctl(gssd_t)
|
||||
@@ -158,6 +170,11 @@
|
||||
@@ -158,6 +171,11 @@
|
||||
|
||||
miscfiles_read_certs(gssd_t)
|
||||
|
||||
|
|
@ -8532,7 +8578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.4/policy/modules/system/fstools.te
|
||||
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/fstools.te 2007-07-25 13:27:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.4/policy/modules/system/fstools.te 2007-08-01 10:57:11.000000000 -0400
|
||||
@@ -9,6 +9,7 @@
|
||||
type fsadm_t;
|
||||
type fsadm_exec_t;
|
||||
|
|
@ -8541,7 +8587,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
|
|||
role system_r types fsadm_t;
|
||||
|
||||
type fsadm_log_t;
|
||||
@@ -179,3 +180,8 @@
|
||||
@@ -69,6 +70,7 @@
|
||||
|
||||
dev_getattr_all_chr_files(fsadm_t)
|
||||
dev_dontaudit_getattr_all_blk_files(fsadm_t)
|
||||
+dev_dontaudit_getattr_generic_files(fsadm_t)
|
||||
# mkreiserfs and other programs need this for UUID
|
||||
dev_read_rand(fsadm_t)
|
||||
dev_read_urand(fsadm_t)
|
||||
@@ -179,3 +181,8 @@
|
||||
fs_dontaudit_write_ramfs_pipes(fsadm_t)
|
||||
rhgb_stub(fsadm_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.4
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPL
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -359,6 +359,9 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Aug 1 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-5
|
||||
- Fix new usb devices and dmfm
|
||||
|
||||
* Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-4
|
||||
- Eliminate mount_ntfs_t policy, merge into mount_t
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue