Fix ipa.if

This commit is contained in:
Miroslav Grepl 2014-03-26 11:14:21 +01:00
parent 1f53e62396
commit 83715e6621
2 changed files with 74 additions and 15 deletions

View File

@ -16881,7 +16881,7 @@ index 54f1827..39faa3f 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 64c4cd0..69be610 100644 index 64c4cd0..b9d9660 100644
--- a/policy/modules/kernel/storage.if --- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@ -17010,7 +17010,7 @@ index 64c4cd0..69be610 100644
######################################## ########################################
## <summary> ## <summary>
## Allow the caller to directly read ## Allow the caller to directly read
@@ -813,3 +897,411 @@ interface(`storage_unconfined',` @@ -813,3 +897,452 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type; typeattribute $1 storage_unconfined_type;
') ')
@ -17355,6 +17355,47 @@ index 64c4cd0..69be610 100644
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
+ dev_filetrans($1, removable_device_t, blk_file, "sr0") + dev_filetrans($1, removable_device_t, blk_file, "sr0")
+ dev_filetrans($1, removable_device_t, blk_file, "sr1") + dev_filetrans($1, removable_device_t, blk_file, "sr1")
+ dev_filetrans($1, removable_device_t, blk_file, "sr2") + dev_filetrans($1, removable_device_t, blk_file, "sr2")

View File

@ -28811,7 +28811,7 @@ index e39de43..6a6db28 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if diff --git a/gnome.if b/gnome.if
index ab09d61..d0bfef0 100644 index ab09d61..8bcb6ba 100644
--- a/gnome.if --- a/gnome.if
+++ b/gnome.if +++ b/gnome.if
@@ -1,52 +1,78 @@ @@ -1,52 +1,78 @@
@ -29858,7 +29858,7 @@ index ab09d61..d0bfef0 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -706,12 +820,931 @@ interface(`gnome_stream_connect_gkeyringd',` @@ -706,12 +820,948 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -30251,6 +30251,23 @@ index ab09d61..d0bfef0 100644
+ read_files_pattern($1, config_home_t, config_home_t) + read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t) + read_lnk_files_pattern($1, config_home_t, config_home_t)
+') +')
+#######################################
+## <summary>
+## append gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_append_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ append_files_pattern($1, config_home_t, config_home_t)
+')
+ +
+####################################### +#######################################
+## <summary> +## <summary>
@ -33328,10 +33345,10 @@ index 0000000..48d7322
+ +
diff --git a/ipa.if b/ipa.if diff --git a/ipa.if b/ipa.if
new file mode 100644 new file mode 100644
index 0000000..4095bed index 0000000..d028154
--- /dev/null --- /dev/null
+++ b/ipa.if +++ b/ipa.if
@@ -0,0 +1,58 @@ @@ -0,0 +1,57 @@
+## <summary>Policy for IPA services.</summary> +## <summary>Policy for IPA services.</summary>
+ +
+######################################## +########################################
@ -33389,7 +33406,6 @@ index 0000000..4095bed
+ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) + manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+') +')
+ +
+')
diff --git a/ipa.te b/ipa.te diff --git a/ipa.te b/ipa.te
new file mode 100644 new file mode 100644
index 0000000..b60bc5f index 0000000..b60bc5f
@ -73656,10 +73672,10 @@ index 0000000..a073efd
+') +')
diff --git a/rasdaemon.te b/rasdaemon.te diff --git a/rasdaemon.te b/rasdaemon.te
new file mode 100644 new file mode 100644
index 0000000..7b1fa9e index 0000000..6731d5c
--- /dev/null --- /dev/null
+++ b/rasdaemon.te +++ b/rasdaemon.te
@@ -0,0 +1,45 @@ @@ -0,0 +1,46 @@
+policy_module(rasdaemon, 1.0.0) +policy_module(rasdaemon, 1.0.0)
+ +
+######################################## +########################################
@ -73691,16 +73707,17 @@ index 0000000..7b1fa9e
+kernel_read_system_state(rasdaemon_t) +kernel_read_system_state(rasdaemon_t)
+kernel_manage_debugfs(rasdaemon_t) +kernel_manage_debugfs(rasdaemon_t)
+ +
+auth_use_nsswitch(rasdaemon_t)
+
+dev_read_raw_memory(rasdaemon_t) +dev_read_raw_memory(rasdaemon_t)
+dev_read_sysfs(rasdaemon_t) +dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t) +dev_read_urand(rasdaemon_t)
+ +dev_rw_cpu_microcode(rasdaemon_t)
+logging_send_syslog_msg(rasdaemon_t)
+ +
+modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277 +modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
+ +
+auth_use_nsswitch(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+
+optional_policy(` +optional_policy(`
+ dmidecode_exec(rasdaemon_t) + dmidecode_exec(rasdaemon_t)
+') +')
@ -95084,10 +95101,10 @@ index 0000000..c1fd8b4
+') +')
diff --git a/thumb.te b/thumb.te diff --git a/thumb.te b/thumb.te
new file mode 100644 new file mode 100644
index 0000000..bb3e477 index 0000000..0e30ce2
--- /dev/null --- /dev/null
+++ b/thumb.te +++ b/thumb.te
@@ -0,0 +1,156 @@ @@ -0,0 +1,157 @@
+policy_module(thumb, 1.0.0) +policy_module(thumb, 1.0.0)
+ +
+######################################## +########################################
@ -95217,6 +95234,7 @@ index 0000000..bb3e477
+ # .config + # .config
+ gnome_dontaudit_search_config(thumb_t) + gnome_dontaudit_search_config(thumb_t)
+ gnome_dontaudit_write_config_files(thumb_t) + gnome_dontaudit_write_config_files(thumb_t)
+ gnome_append_home_config(thumb_t)
+ gnome_append_generic_cache_files(thumb_t) + gnome_append_generic_cache_files(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t) + gnome_read_generic_data_home_files(thumb_t)
+ gnome_dontaudit_rw_generic_cache_files(thumb_t) + gnome_dontaudit_rw_generic_cache_files(thumb_t)