- Allow svirt to manage pci and other sysfs device data
This commit is contained in:
Daniel J Walsh
parent
0e31a0e8ca
commit
959ab94100
@ -4897,7 +4897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+corecmd_executable_file(wm_exec_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-30 08:31:43.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-05 14:05:47.000000000 -0400
|
||||
@@ -32,6 +32,8 @@
|
||||
#
|
||||
# /etc
|
||||
@ -4907,16 +4907,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -134,6 +136,8 @@
|
||||
@@ -134,6 +136,10 @@
|
||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@@ -210,6 +214,7 @@
|
||||
@@ -210,6 +216,7 @@
|
||||
/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -4924,7 +4926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -299,3 +304,20 @@
|
||||
@@ -299,3 +306,20 @@
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -5157,7 +5159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-03-05 12:28:56.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-04-28 15:25:49.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-05-05 16:42:47.000000000 -0400
|
||||
@@ -2268,6 +2268,25 @@
|
||||
|
||||
########################################
|
||||
@ -11482,7 +11484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te
|
||||
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-05-05 14:06:36.000000000 -0400
|
||||
@@ -20,9 +20,18 @@
|
||||
type cupsd_etc_t;
|
||||
files_config_file(cupsd_etc_t)
|
||||
@ -11660,7 +11662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_list_world_readable(cupsd_t)
|
||||
files_read_world_readable_files(cupsd_t)
|
||||
files_read_world_readable_symlinks(cupsd_t)
|
||||
@@ -195,15 +240,16 @@
|
||||
@@ -195,19 +240,21 @@
|
||||
files_read_var_symlinks(cupsd_t)
|
||||
# for /etc/printcap
|
||||
files_dontaudit_write_etc_files(cupsd_t)
|
||||
@ -11681,7 +11683,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_use_nsswitch(cupsd_t)
|
||||
|
||||
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
|
||||
@@ -217,17 +263,21 @@
|
||||
libs_read_lib_files(cupsd_t)
|
||||
+libs_exec_lib_files(cupsd_t)
|
||||
|
||||
logging_send_audit_msgs(cupsd_t)
|
||||
logging_send_syslog_msg(cupsd_t)
|
||||
@@ -217,17 +264,21 @@
|
||||
miscfiles_read_fonts(cupsd_t)
|
||||
|
||||
seutil_read_config(cupsd_t)
|
||||
@ -11706,7 +11713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -244,8 +294,16 @@
|
||||
@@ -244,8 +295,16 @@
|
||||
userdom_dbus_send_all_users(cupsd_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -11723,7 +11730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -261,6 +319,10 @@
|
||||
@@ -261,6 +320,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11734,7 +11741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cups execs smbtool which reads samba_etc_t files
|
||||
samba_read_config(cupsd_t)
|
||||
samba_rw_var_files(cupsd_t)
|
||||
@@ -279,7 +341,7 @@
|
||||
@@ -279,7 +342,7 @@
|
||||
# Cups configuration daemon local policy
|
||||
#
|
||||
|
||||
@ -11743,7 +11750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit cupsd_config_t self:capability sys_tty_config;
|
||||
allow cupsd_config_t self:process signal_perms;
|
||||
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -302,8 +364,10 @@
|
||||
@@ -302,8 +365,10 @@
|
||||
|
||||
allow cupsd_config_t cupsd_log_t:file rw_file_perms;
|
||||
|
||||
@ -11756,7 +11763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
|
||||
|
||||
@@ -311,7 +375,7 @@
|
||||
@@ -311,7 +376,7 @@
|
||||
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(cupsd_config_t)
|
||||
@ -11765,7 +11772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(cupsd_config_t)
|
||||
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
||||
@@ -324,6 +388,7 @@
|
||||
@@ -324,6 +389,7 @@
|
||||
dev_read_sysfs(cupsd_config_t)
|
||||
dev_read_urand(cupsd_config_t)
|
||||
dev_read_rand(cupsd_config_t)
|
||||
@ -11773,7 +11780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_getattr_all_fs(cupsd_config_t)
|
||||
fs_search_auto_mountpoints(cupsd_config_t)
|
||||
@@ -341,13 +406,14 @@
|
||||
@@ -341,13 +407,14 @@
|
||||
files_read_var_symlinks(cupsd_config_t)
|
||||
|
||||
# Alternatives asks for this
|
||||
@ -11789,7 +11796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
seutil_dontaudit_search_config(cupsd_config_t)
|
||||
|
||||
@@ -359,14 +425,16 @@
|
||||
@@ -359,14 +426,16 @@
|
||||
lpd_read_config(cupsd_config_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -11808,7 +11815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
|
||||
')
|
||||
|
||||
@@ -382,6 +450,7 @@
|
||||
@@ -382,6 +451,7 @@
|
||||
optional_policy(`
|
||||
hal_domtrans(cupsd_config_t)
|
||||
hal_read_tmp_files(cupsd_config_t)
|
||||
@ -11816,7 +11823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -491,7 +560,10 @@
|
||||
@@ -491,7 +561,10 @@
|
||||
allow hplip_t self:udp_socket create_socket_perms;
|
||||
allow hplip_t self:rawip_socket create_socket_perms;
|
||||
|
||||
@ -11828,7 +11835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
cups_stream_connect(hplip_t)
|
||||
|
||||
@@ -500,6 +572,13 @@
|
||||
@@ -500,6 +573,13 @@
|
||||
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
|
||||
files_search_etc(hplip_t)
|
||||
|
||||
@ -11842,7 +11849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
||||
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
||||
|
||||
@@ -529,7 +608,8 @@
|
||||
@@ -529,7 +609,8 @@
|
||||
dev_read_urand(hplip_t)
|
||||
dev_read_rand(hplip_t)
|
||||
dev_rw_generic_usb_dev(hplip_t)
|
||||
@ -11852,7 +11859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_getattr_all_fs(hplip_t)
|
||||
fs_search_auto_mountpoints(hplip_t)
|
||||
@@ -553,7 +633,9 @@
|
||||
@@ -553,7 +634,9 @@
|
||||
userdom_dontaudit_search_user_home_dirs(hplip_t)
|
||||
userdom_dontaudit_search_user_home_content(hplip_t)
|
||||
|
||||
@ -11863,7 +11870,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(hplip_t)
|
||||
@@ -635,3 +717,49 @@
|
||||
@@ -635,3 +718,49 @@
|
||||
optional_policy(`
|
||||
udev_read_db(ptal_t)
|
||||
')
|
||||
@ -13478,6 +13485,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# pid file
|
||||
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te 2009-05-04 15:58:59.000000000 -0400
|
||||
@@ -9,6 +9,7 @@
|
||||
type fetchmail_t;
|
||||
type fetchmail_exec_t;
|
||||
init_daemon_domain(fetchmail_t, fetchmail_exec_t)
|
||||
+application_executable_file(fetchmail_exec_t)
|
||||
|
||||
type fetchmail_var_run_t;
|
||||
files_pid_file(fetchmail_var_run_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc
|
||||
--- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-04-28 15:26:41.000000000 -0400
|
||||
@ -24168,8 +24186,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-30 18:07:51.000000000 -0400
|
||||
@@ -8,19 +8,24 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-05 16:45:39.000000000 -0400
|
||||
@@ -8,19 +8,31 @@
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -24190,14 +24208,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-attribute virt_image_type;
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow svirt to user serial/parallell communication ports
|
||||
+## Allow svirt to manage device configuration, (pci)
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(virt_manage_sysfs, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow svirt to use serial/parallell communication ports
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(virt_use_comm, false)
|
||||
|
||||
type virt_etc_t;
|
||||
files_config_file(virt_etc_t)
|
||||
@@ -29,8 +34,13 @@
|
||||
@@ -29,8 +41,13 @@
|
||||
files_type(virt_etc_rw_t)
|
||||
|
||||
# virt Image files
|
||||
@ -24213,7 +24238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
type virt_log_t;
|
||||
logging_log_file(virt_log_t)
|
||||
@@ -48,17 +58,39 @@
|
||||
@@ -48,17 +65,39 @@
|
||||
type virtd_initrc_exec_t;
|
||||
init_script_file(virtd_initrc_exec_t)
|
||||
|
||||
@ -24255,7 +24280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
|
||||
@@ -67,7 +99,11 @@
|
||||
@@ -67,7 +106,11 @@
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
@ -24268,7 +24293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
@@ -86,6 +122,7 @@
|
||||
@@ -86,6 +129,7 @@
|
||||
kernel_read_network_state(virtd_t)
|
||||
kernel_rw_net_sysctls(virtd_t)
|
||||
kernel_load_module(virtd_t)
|
||||
@ -24276,7 +24301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_bin(virtd_t)
|
||||
corecmd_exec_shell(virtd_t)
|
||||
@@ -96,7 +133,7 @@
|
||||
@@ -96,7 +140,7 @@
|
||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||
corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||
corenet_tcp_bind_generic_node(virtd_t)
|
||||
@ -24285,7 +24310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_soundd_port(virtd_t)
|
||||
@@ -104,21 +141,39 @@
|
||||
@@ -104,21 +148,39 @@
|
||||
|
||||
dev_read_sysfs(virtd_t)
|
||||
dev_read_rand(virtd_t)
|
||||
@ -24326,7 +24351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
term_getattr_pty_fs(virtd_t)
|
||||
term_use_ptmx(virtd_t)
|
||||
|
||||
@@ -129,6 +184,13 @@
|
||||
@@ -129,6 +191,13 @@
|
||||
|
||||
logging_send_syslog_msg(virtd_t)
|
||||
|
||||
@ -24340,7 +24365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_read_all_users_state(virtd_t)
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
@@ -167,22 +229,34 @@
|
||||
@@ -167,22 +236,34 @@
|
||||
dnsmasq_domtrans(virtd_t)
|
||||
dnsmasq_signal(virtd_t)
|
||||
dnsmasq_kill(virtd_t)
|
||||
@ -24363,15 +24388,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+optional_policy(`
|
||||
+ lvm_domtrans(virtd_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
- qemu_domtrans(virtd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ polkit_domtrans_auth(virtd_t)
|
||||
+ polkit_domtrans_resolve(virtd_t)
|
||||
+ polkit_read_lib(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
- qemu_domtrans(virtd_t)
|
||||
+ qemu_spec_domtrans(virtd_t, svirt_t)
|
||||
qemu_read_state(virtd_t)
|
||||
qemu_signal(virtd_t)
|
||||
@ -24380,7 +24405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -195,8 +269,84 @@
|
||||
@@ -195,8 +276,88 @@
|
||||
|
||||
xen_stream_connect(virtd_t)
|
||||
xen_stream_connect_xenstore(virtd_t)
|
||||
@ -24444,6 +24469,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ dev_rw_printer(svirt_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`virt_manage_sysfs',`
|
||||
+ dev_rw_sysfs(svirt_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`virt_use_nfs',`
|
||||
+ fs_manage_nfs_dirs(svirt_t)
|
||||
+ fs_manage_nfs_files(svirt_t)
|
||||
@ -29613,7 +29642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
xen_append_log(ifconfig_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
|
||||
--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-05-04 14:15:06.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-05-04 14:18:49.000000000 -0400
|
||||
@@ -50,6 +50,7 @@
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
@ -32373,7 +32402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.12/policy/modules/system/userdomain.te
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-05-05 08:21:50.000000000 -0400
|
||||
@@ -8,13 +8,6 @@
|
||||
|
||||
## <desc>
|
||||
@ -32433,7 +32462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_user_home_content(user_home_t)
|
||||
fs_associate_tmpfs(user_home_t)
|
||||
files_associate_tmp(user_home_t)
|
||||
@@ -95,3 +91,23 @@
|
||||
@@ -95,3 +91,25 @@
|
||||
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
|
||||
dev_node(user_tty_device_t)
|
||||
ubac_constrained(user_tty_device_t)
|
||||
@ -32457,6 +32486,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ fs_read_cifs_named_sockets(userhomereader)
|
||||
+ fs_read_cifs_named_pipes(userhomereader)
|
||||
+')
|
||||
+
|
||||
+allow userdomain userdomain:process signull;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.12/policy/modules/system/virtual.fc
|
||||
--- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/virtual.fc 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -32783,7 +32814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
|
||||
--- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-05-05 14:42:25.000000000 -0400
|
||||
@@ -6,6 +6,13 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -32970,7 +33001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_write_xen_state(xenstored_t)
|
||||
kernel_read_xen_state(xenstored_t)
|
||||
|
||||
@@ -312,18 +358,21 @@
|
||||
@@ -312,24 +358,28 @@
|
||||
|
||||
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
||||
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
||||
@ -32993,7 +33024,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_tcp_sendrecv_generic_if(xm_t)
|
||||
corenet_tcp_sendrecv_generic_node(xm_t)
|
||||
@@ -339,15 +388,58 @@
|
||||
corenet_tcp_connect_soundd_port(xm_t)
|
||||
|
||||
dev_read_urand(xm_t)
|
||||
+dev_search_sysfs(xm_t)
|
||||
|
||||
files_read_etc_runtime_files(xm_t)
|
||||
files_read_usr_files(xm_t)
|
||||
@@ -339,15 +389,58 @@
|
||||
|
||||
storage_raw_read_fixed_disk(xm_t)
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.12
|
||||
Release: 28%{?dist}
|
||||
Release: 29%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -477,6 +477,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-29
|
||||
- Allow svirt to manage pci and other sysfs device data
|
||||
|
||||
* Mon May 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-28
|
||||
- Fix package selection handling
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user