Committing my changes
This commit is contained in:
parent
d17f759dd0
commit
ad10efc1aa
@ -1,11 +1,45 @@
|
|||||||
diff --git a/policy/mcs b/policy/mcs
|
diff -up serefpolicy-3.10.0/policy/mcs.trans serefpolicy-3.10.0/policy/mcs
|
||||||
index ed7a0c1..90d0b1e 100644
|
--- serefpolicy-3.10.0/policy/mcs.trans 2011-12-05 16:30:45.081703537 -0500
|
||||||
--- a/policy/mcs
|
+++ serefpolicy-3.10.0/policy/mcs 2011-12-05 16:34:09.674001926 -0500
|
||||||
+++ b/policy/mcs
|
|
||||||
@@ -1,4 +1,6 @@
|
@@ -1,4 +1,6 @@
|
||||||
ifdef(`enable_mcs',`
|
ifdef(`enable_mcs',`
|
||||||
+default_trans level dir_file_class_set parent;
|
+default_range dir_file_class_set target low;
|
||||||
+
|
+
|
||||||
#
|
#
|
||||||
# Define sensitivities
|
# Define sensitivities
|
||||||
#
|
#
|
||||||
|
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
||||||
|
index 26c13f2..2354089 100644
|
||||||
|
--- a/policy/modules/kernel/devices.fc
|
||||||
|
+++ b/policy/modules/kernel/devices.fc
|
||||||
|
@@ -205,6 +205,7 @@ ifdef(`distro_redhat',`
|
||||||
|
# /sys
|
||||||
|
#
|
||||||
|
/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||||
|
+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
|
||||||
|
|
||||||
|
/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
|
||||||
|
/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||||
|
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
||||||
|
index 112bebb..8f727be 100644
|
||||||
|
--- a/policy/modules/kernel/devices.te
|
||||||
|
+++ b/policy/modules/kernel/devices.te
|
||||||
|
@@ -226,8 +226,8 @@ fs_type(sysfs_t)
|
||||||
|
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
||||||
|
|
||||||
|
type cpu_online_t;
|
||||||
|
-allow cpu_online_t sysfs_t:filesystem associate;
|
||||||
|
-genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
|
||||||
|
+files_type(cpu_online_t)
|
||||||
|
+dev_associate_sysfs(cpu_online_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Type for /dev/tpm
|
||||||
|
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
|
||||||
|
index 7be4ddf..f7021a0 100644
|
||||||
|
--- a/policy/modules/kernel/kernel.fc
|
||||||
|
+++ b/policy/modules/kernel/kernel.fc
|
||||||
|
@@ -1 +1,2 @@
|
||||||
|
-# This module currently does not have any file contexts.
|
||||||
|
+
|
||||||
|
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||||
|
@ -17,13 +17,14 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.10.0
|
||||||
Release: 68%{?dist}
|
Release: 68.1%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
patch: policy-F16.patch
|
patch: policy-F16.patch
|
||||||
patch1: unconfined_permissive.patch
|
patch1: unconfined_permissive.patch
|
||||||
patch2: thumb.patch
|
patch2: thumb.patch
|
||||||
|
patch3: default_trans.patch
|
||||||
Source1: modules-targeted.conf
|
Source1: modules-targeted.conf
|
||||||
Source2: booleans-targeted.conf
|
Source2: booleans-targeted.conf
|
||||||
Source3: Makefile.devel
|
Source3: Makefile.devel
|
||||||
@ -238,7 +239,8 @@ Based off of reference policy: Checked out revision 2.20091117
|
|||||||
%setup -n serefpolicy-%{version} -q
|
%setup -n serefpolicy-%{version} -q
|
||||||
%patch -p1
|
%patch -p1
|
||||||
%patch1 -p1 -b .unconfined
|
%patch1 -p1 -b .unconfined
|
||||||
#%patch2 -p1 -b .thumb
|
%patch2 -p1 -b .thumb
|
||||||
|
#%patch3 -p1 -b .trans
|
||||||
|
|
||||||
%install
|
%install
|
||||||
mkdir selinux_config
|
mkdir selinux_config
|
||||||
|
50
thumb.patch
50
thumb.patch
@ -1,16 +1,50 @@
|
|||||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.thumb serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
|
||||||
index 1105ff5..620e17b 100644
|
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.thumb 2011-12-13 16:04:19.597732170 -0500
|
||||||
--- a/policy/modules/roles/unconfineduser.te
|
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-12-13 16:04:42.718741218 -0500
|
||||||
+++ b/policy/modules/roles/unconfineduser.te
|
@@ -160,6 +160,11 @@ optional_policy(`
|
||||||
@@ -188,6 +188,11 @@ optional_policy(`
|
rtkit_scheduled(unconfined_t)
|
||||||
rtkit_scheduled(unconfined_usertype)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
+ # Might remove later if this proves to be problematic, but would like to gather AVCs
|
+ # Might remove later if this proves to be problematic, but would like to gather AVCs
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ thumb_role(unconfined_r, unconfined_usertype)
|
+ thumb_role(unconfined_r, unconfined_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
setroubleshoot_dbus_chat(unconfined_usertype)
|
setroubleshoot_dbus_chat(unconfined_t)
|
||||||
setroubleshoot_dbus_chat_fixit(unconfined_t)
|
setroubleshoot_dbus_chat_fixit(unconfined_t)
|
||||||
|
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
||||||
|
index 26c13f2..2354089 100644
|
||||||
|
--- a/policy/modules/kernel/devices.fc
|
||||||
|
+++ b/policy/modules/kernel/devices.fc
|
||||||
|
@@ -205,6 +205,7 @@ ifdef(`distro_redhat',`
|
||||||
|
# /sys
|
||||||
|
#
|
||||||
|
/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||||
|
+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
|
||||||
|
|
||||||
|
/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
|
||||||
|
/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||||
|
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
||||||
|
index 112bebb..8f727be 100644
|
||||||
|
--- a/policy/modules/kernel/devices.te
|
||||||
|
+++ b/policy/modules/kernel/devices.te
|
||||||
|
@@ -226,8 +226,8 @@ fs_type(sysfs_t)
|
||||||
|
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
||||||
|
|
||||||
|
type cpu_online_t;
|
||||||
|
-allow cpu_online_t sysfs_t:filesystem associate;
|
||||||
|
-genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
|
||||||
|
+files_type(cpu_online_t)
|
||||||
|
+dev_associate_sysfs(cpu_online_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Type for /dev/tpm
|
||||||
|
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
|
||||||
|
index 7be4ddf..f7021a0 100644
|
||||||
|
--- a/policy/modules/kernel/kernel.fc
|
||||||
|
+++ b/policy/modules/kernel/kernel.fc
|
||||||
|
@@ -1 +1,2 @@
|
||||||
|
-# This module currently does not have any file contexts.
|
||||||
|
+
|
||||||
|
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||||
|
Loading…
Reference in New Issue
Block a user