Prelink patch from Dan Walsh.

Prelink has new directory under /var/lib

dontaudit leaks from domains that transition

cron job looks at all mount points.
This commit is contained in:
Chris PeBenito 2010-06-18 14:07:53 -04:00
parent 9a4d292902
commit a9ef84b578
3 changed files with 10 additions and 2 deletions

View File

@ -8,3 +8,4 @@
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)

View File

@ -17,6 +17,11 @@ interface(`prelink_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, prelink_exec_t, prelink_t)
ifdef(`hide_broken_symptoms', `
dontaudit prelink_t $1:socket_class_set { read write };
dontaudit prelink_t $1:fifo_file setattr;
')
')
########################################

View File

@ -1,4 +1,4 @@
policy_module(prelink, 1.9.0)
policy_module(prelink, 1.9.1)
########################################
#
@ -123,7 +123,7 @@ optional_policy(`
optional_policy(`
allow prelink_cron_system_t self:capability setuid;
allow prelink_cron_system_t self:process { setsched setfscreate };
allow prelink_cron_system_t self:process { setsched setfscreate signal };
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
@ -144,7 +144,9 @@ optional_policy(`
corecmd_exec_bin(prelink_cron_system_t)
corecmd_exec_shell(prelink_cron_system_t)
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
init_exec(prelink_cron_system_t)