- Fixes to allow svirt read iso files in homedir
This commit is contained in:
parent
ec9800856c
commit
9ca87fc9d8
@ -4522,6 +4522,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# network_node examples:
|
# network_node examples:
|
||||||
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
|
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
|
||||||
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
|
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.10/policy/modules/kernel/devices.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-03-05 14:09:51.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-24 15:09:41.000000000 -0400
|
||||||
|
@@ -91,6 +91,7 @@
|
||||||
|
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
|
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
|
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
|
+/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
|
||||||
|
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
|
||||||
|
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||||
|
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.10/policy/modules/kernel/devices.te
|
||||||
|
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-03-05 12:28:57.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.10/policy/modules/kernel/devices.te 2009-03-24 15:08:54.000000000 -0400
|
||||||
|
@@ -188,6 +188,12 @@
|
||||||
|
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
||||||
|
|
||||||
|
#
|
||||||
|
+# Type for /dev/tpm
|
||||||
|
+#
|
||||||
|
+type tpm_device_t;
|
||||||
|
+dev_node(tpm_device_t)
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
# urandom_device_t is the type of /dev/urandom
|
||||||
|
#
|
||||||
|
type urandom_device_t;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.10/policy/modules/kernel/domain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.10/policy/modules/kernel/domain.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/kernel/domain.if 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/kernel/domain.if 2009-03-24 09:03:48.000000000 -0400
|
||||||
@ -12100,7 +12127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te
|
||||||
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-24 10:36:54.000000000 -0400
|
||||||
@@ -49,6 +49,15 @@
|
@@ -49,6 +49,15 @@
|
||||||
type hald_var_lib_t;
|
type hald_var_lib_t;
|
||||||
files_type(hald_var_lib_t)
|
files_type(hald_var_lib_t)
|
||||||
@ -12142,10 +12169,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(hald_t)
|
userdom_dontaudit_search_user_home_dirs(hald_t)
|
||||||
@@ -277,6 +292,13 @@
|
@@ -277,6 +292,17 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
+ ppp_read_rw_config(hald_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ polkit_domtrans_auth(hald_t)
|
+ polkit_domtrans_auth(hald_t)
|
||||||
+ polkit_domtrans_resolve(hald_t)
|
+ polkit_domtrans_resolve(hald_t)
|
||||||
+ polkit_read_lib(hald_t)
|
+ polkit_read_lib(hald_t)
|
||||||
@ -12156,7 +12187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
rpc_search_nfs_state_data(hald_t)
|
rpc_search_nfs_state_data(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -301,12 +323,16 @@
|
@@ -301,12 +327,16 @@
|
||||||
virt_manage_images(hald_t)
|
virt_manage_images(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -12174,7 +12205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow hald_acl_t self:process { getattr signal };
|
allow hald_acl_t self:process { getattr signal };
|
||||||
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
|
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
@@ -321,6 +347,7 @@
|
@@ -321,6 +351,7 @@
|
||||||
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||||
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
|
||||||
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
|
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
|
||||||
@ -12182,7 +12213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corecmd_exec_bin(hald_acl_t)
|
corecmd_exec_bin(hald_acl_t)
|
||||||
|
|
||||||
@@ -339,6 +366,8 @@
|
@@ -339,6 +370,8 @@
|
||||||
|
|
||||||
storage_getattr_removable_dev(hald_acl_t)
|
storage_getattr_removable_dev(hald_acl_t)
|
||||||
storage_setattr_removable_dev(hald_acl_t)
|
storage_setattr_removable_dev(hald_acl_t)
|
||||||
@ -12191,7 +12222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
auth_use_nsswitch(hald_acl_t)
|
auth_use_nsswitch(hald_acl_t)
|
||||||
|
|
||||||
@@ -346,12 +375,18 @@
|
@@ -346,12 +379,18 @@
|
||||||
|
|
||||||
miscfiles_read_localization(hald_acl_t)
|
miscfiles_read_localization(hald_acl_t)
|
||||||
|
|
||||||
@ -12211,7 +12242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
|
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
|
||||||
allow hald_t hald_mac_t:process signal;
|
allow hald_t hald_mac_t:process signal;
|
||||||
@@ -374,6 +409,8 @@
|
@@ -374,6 +413,8 @@
|
||||||
|
|
||||||
auth_use_nsswitch(hald_mac_t)
|
auth_use_nsswitch(hald_mac_t)
|
||||||
|
|
||||||
@ -12220,7 +12251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
miscfiles_read_localization(hald_mac_t)
|
miscfiles_read_localization(hald_mac_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -418,3 +455,49 @@
|
@@ -418,3 +459,49 @@
|
||||||
files_read_usr_files(hald_keymap_t)
|
files_read_usr_files(hald_keymap_t)
|
||||||
|
|
||||||
miscfiles_read_localization(hald_keymap_t)
|
miscfiles_read_localization(hald_keymap_t)
|
||||||
@ -16693,7 +16724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# /sbin
|
# /sbin
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.10/policy/modules/services/ppp.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.10/policy/modules/services/ppp.if
|
||||||
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/services/ppp.if 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/services/ppp.if 2009-03-24 10:36:17.000000000 -0400
|
||||||
@@ -58,6 +58,25 @@
|
@@ -58,6 +58,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -21101,8 +21132,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.10/policy/modules/services/virt.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.10/policy/modules/services/virt.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/services/virt.fc 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/services/virt.fc 2009-03-24 15:39:18.000000000 -0400
|
||||||
@@ -8,5 +8,14 @@
|
@@ -8,5 +8,15 @@
|
||||||
|
|
||||||
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
||||||
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
||||||
@ -21113,6 +21144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
||||||
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||||
|
+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||||
+
|
+
|
||||||
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
|
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
|
||||||
+
|
+
|
||||||
@ -21267,7 +21299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te
|
||||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-24 09:03:48.000000000 -0400
|
+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-24 15:41:15.000000000 -0400
|
||||||
@@ -8,20 +8,18 @@
|
@@ -8,20 +8,18 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -21450,8 +21482,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ kerberos_keytab_template(virtd, virtd_t)
|
+ kerberos_keytab_template(virtd, virtd_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
|
- qemu_domtrans(virtd_t)
|
||||||
+ lvm_domtrans(virtd_t)
|
+ lvm_domtrans(virtd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -21460,9 +21493,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ polkit_domtrans_resolve(virtd_t)
|
+ polkit_domtrans_resolve(virtd_t)
|
||||||
+ polkit_read_lib(virtd_t)
|
+ polkit_read_lib(virtd_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
optional_policy(`
|
+optional_policy(`
|
||||||
- qemu_domtrans(virtd_t)
|
|
||||||
+ qemu_spec_domtrans(virtd_t, svirt_t)
|
+ qemu_spec_domtrans(virtd_t, svirt_t)
|
||||||
qemu_read_state(virtd_t)
|
qemu_read_state(virtd_t)
|
||||||
qemu_signal(virtd_t)
|
qemu_signal(virtd_t)
|
||||||
@ -21471,7 +21503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -198,5 +262,73 @@
|
@@ -198,5 +262,76 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21508,6 +21540,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
|
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
|
||||||
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
|
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
|
||||||
+
|
+
|
||||||
|
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
|
||||||
|
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
|
||||||
|
+
|
||||||
+storage_raw_write_removable_device(svirt_t)
|
+storage_raw_write_removable_device(svirt_t)
|
||||||
+storage_raw_read_removable_device(svirt_t)
|
+storage_raw_read_removable_device(svirt_t)
|
||||||
+
|
+
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.10
|
Version: 3.6.10
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -444,6 +444,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-2
|
||||||
|
- Fixes to allow svirt read iso files in homedir
|
||||||
|
|
||||||
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-1
|
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-1
|
||||||
- Add xenner and wine fixes from mgrepl
|
- Add xenner and wine fixes from mgrepl
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user