Fix ipa.if
This commit is contained in:
parent
1f53e62396
commit
83715e6621
@ -16881,7 +16881,7 @@ index 54f1827..39faa3f 100644
|
||||
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
|
||||
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
|
||||
index 64c4cd0..69be610 100644
|
||||
index 64c4cd0..b9d9660 100644
|
||||
--- a/policy/modules/kernel/storage.if
|
||||
+++ b/policy/modules/kernel/storage.if
|
||||
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
|
||||
@ -17010,7 +17010,7 @@ index 64c4cd0..69be610 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to directly read
|
||||
@@ -813,3 +897,411 @@ interface(`storage_unconfined',`
|
||||
@@ -813,3 +897,452 @@ interface(`storage_unconfined',`
|
||||
|
||||
typeattribute $1 storage_unconfined_type;
|
||||
')
|
||||
@ -17355,6 +17355,47 @@ index 64c4cd0..69be610 100644
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
|
||||
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
|
||||
+ dev_filetrans($1, removable_device_t, blk_file, "sr0")
|
||||
+ dev_filetrans($1, removable_device_t, blk_file, "sr1")
|
||||
+ dev_filetrans($1, removable_device_t, blk_file, "sr2")
|
||||
|
@ -28811,7 +28811,7 @@ index e39de43..6a6db28 100644
|
||||
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
||||
diff --git a/gnome.if b/gnome.if
|
||||
index ab09d61..d0bfef0 100644
|
||||
index ab09d61..8bcb6ba 100644
|
||||
--- a/gnome.if
|
||||
+++ b/gnome.if
|
||||
@@ -1,52 +1,78 @@
|
||||
@ -29858,7 +29858,7 @@ index ab09d61..d0bfef0 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -706,12 +820,931 @@ interface(`gnome_stream_connect_gkeyringd',`
|
||||
@@ -706,12 +820,948 @@ interface(`gnome_stream_connect_gkeyringd',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -30251,6 +30251,23 @@ index ab09d61..d0bfef0 100644
|
||||
+ read_files_pattern($1, config_home_t, config_home_t)
|
||||
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
|
||||
+')
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## append gnome homedir content (.config)
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`gnome_append_home_config',`
|
||||
+ gen_require(`
|
||||
+ type config_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ append_files_pattern($1, config_home_t, config_home_t)
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
@ -33328,10 +33345,10 @@ index 0000000..48d7322
|
||||
+
|
||||
diff --git a/ipa.if b/ipa.if
|
||||
new file mode 100644
|
||||
index 0000000..4095bed
|
||||
index 0000000..d028154
|
||||
--- /dev/null
|
||||
+++ b/ipa.if
|
||||
@@ -0,0 +1,58 @@
|
||||
@@ -0,0 +1,57 @@
|
||||
+## <summary>Policy for IPA services.</summary>
|
||||
+
|
||||
+########################################
|
||||
@ -33389,7 +33406,6 @@ index 0000000..4095bed
|
||||
+ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
|
||||
+')
|
||||
+
|
||||
+')
|
||||
diff --git a/ipa.te b/ipa.te
|
||||
new file mode 100644
|
||||
index 0000000..b60bc5f
|
||||
@ -73656,10 +73672,10 @@ index 0000000..a073efd
|
||||
+')
|
||||
diff --git a/rasdaemon.te b/rasdaemon.te
|
||||
new file mode 100644
|
||||
index 0000000..7b1fa9e
|
||||
index 0000000..6731d5c
|
||||
--- /dev/null
|
||||
+++ b/rasdaemon.te
|
||||
@@ -0,0 +1,45 @@
|
||||
@@ -0,0 +1,46 @@
|
||||
+policy_module(rasdaemon, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -73691,16 +73707,17 @@ index 0000000..7b1fa9e
|
||||
+kernel_read_system_state(rasdaemon_t)
|
||||
+kernel_manage_debugfs(rasdaemon_t)
|
||||
+
|
||||
+auth_use_nsswitch(rasdaemon_t)
|
||||
+
|
||||
+dev_read_raw_memory(rasdaemon_t)
|
||||
+dev_read_sysfs(rasdaemon_t)
|
||||
+dev_read_urand(rasdaemon_t)
|
||||
+
|
||||
+logging_send_syslog_msg(rasdaemon_t)
|
||||
+dev_rw_cpu_microcode(rasdaemon_t)
|
||||
+
|
||||
+modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
|
||||
+
|
||||
+auth_use_nsswitch(rasdaemon_t)
|
||||
+
|
||||
+logging_send_syslog_msg(rasdaemon_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dmidecode_exec(rasdaemon_t)
|
||||
+')
|
||||
@ -95084,10 +95101,10 @@ index 0000000..c1fd8b4
|
||||
+')
|
||||
diff --git a/thumb.te b/thumb.te
|
||||
new file mode 100644
|
||||
index 0000000..bb3e477
|
||||
index 0000000..0e30ce2
|
||||
--- /dev/null
|
||||
+++ b/thumb.te
|
||||
@@ -0,0 +1,156 @@
|
||||
@@ -0,0 +1,157 @@
|
||||
+policy_module(thumb, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -95217,6 +95234,7 @@ index 0000000..bb3e477
|
||||
+ # .config
|
||||
+ gnome_dontaudit_search_config(thumb_t)
|
||||
+ gnome_dontaudit_write_config_files(thumb_t)
|
||||
+ gnome_append_home_config(thumb_t)
|
||||
+ gnome_append_generic_cache_files(thumb_t)
|
||||
+ gnome_read_generic_data_home_files(thumb_t)
|
||||
+ gnome_dontaudit_rw_generic_cache_files(thumb_t)
|
||||
|
Loading…
Reference in New Issue
Block a user