Prelink patch from Dan Walsh.

Prelink has new directory under /var/lib dontaudit leaks from domains that transition cron job looks at all mount points.
2010-06-18 14:07:53 -04:00 · 2010-06-18 14:07:53 -04:00 · a9ef84b578
commit a9ef84b578
parent 9a4d292902
3 changed files with 10 additions and 2 deletions
--- a/policy/modules/admin/prelink.fc
+++ b/policy/modules/admin/prelink.fc
@ -8,3 +8,4 @@
 /var/log/prelink(/.*)?			gen_context(system_u:object_r:prelink_log_t,s0)
 /var/lib/misc/prelink.*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
 /var/lib/prelink(/.*)?			gen_context(system_u:object_r:prelink_var_lib_t,s0)
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@ -17,6 +17,11 @@ interface(`prelink_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, prelink_exec_t, prelink_t)
 	ifdef(`hide_broken_symptoms', `
 		dontaudit prelink_t $1:socket_class_set { read write };
 		dontaudit prelink_t $1:fifo_file setattr;
 	')
 ')
 ########################################
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@ -1,4 +1,4 @@
-policy_module(prelink, 1.9.0)
+policy_module(prelink, 1.9.1)
 ########################################
 #
@ -123,7 +123,7 @@ optional_policy(`
 optional_policy(`
 	allow prelink_cron_system_t self:capability setuid;
-	allow prelink_cron_system_t self:process { setsched setfscreate };
+	allow prelink_cron_system_t self:process { setsched setfscreate signal };
 	allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
 	allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
@ -144,7 +144,9 @@ optional_policy(`
 	corecmd_exec_bin(prelink_cron_system_t)
 	corecmd_exec_shell(prelink_cron_system_t)
 	files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
 	files_read_etc_files(prelink_cron_system_t)
 	files_search_var_lib(prelink_cron_system_t)
 	init_exec(prelink_cron_system_t)