- Allow NetworkManager to dbus chat with yum-updated
This commit is contained in:
Daniel J Walsh
parent
bf7f975f77
commit
babb3641bd
@ -2814,7 +2814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.7/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/kernel/files.if 2007-09-11 08:45:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/kernel/files.if 2007-09-11 14:40:00.000000000 -0400
|
||||
@@ -343,8 +343,7 @@
|
||||
|
||||
########################################
|
||||
@ -3289,7 +3289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.7/policy/modules/kernel/selinux.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/kernel/selinux.if 2007-09-06 15:43:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/kernel/selinux.if 2007-09-11 13:01:12.000000000 -0400
|
||||
@@ -138,6 +138,7 @@
|
||||
type security_t;
|
||||
')
|
||||
@ -6285,7 +6285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.7/policy/modules/services/ftp.te
|
||||
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/ftp.te 2007-09-10 14:54:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/ftp.te 2007-09-11 14:32:19.000000000 -0400
|
||||
@@ -88,6 +88,7 @@
|
||||
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ftpd_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -6327,20 +6327,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
|
||||
')
|
||||
|
||||
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
|
||||
@@ -252,7 +264,9 @@
|
||||
@@ -252,7 +264,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ kerberos_use(ftpd_t)
|
||||
kerberos_read_keytab(ftpd_t)
|
||||
+ kerberos_manage_host_rcache(ftpd_t)
|
||||
+ selinux_validate_context(ftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.7/policy/modules/services/hal.fc
|
||||
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-05-30 11:47:29.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/hal.fc 2007-09-06 15:43:06.000000000 -0400
|
||||
@@ -8,9 +8,15 @@
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/hal.fc 2007-09-11 15:14:05.000000000 -0400
|
||||
@@ -8,9 +8,17 @@
|
||||
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
|
||||
|
||||
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
|
||||
@ -6356,6 +6357,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
+
|
||||
+/var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
|
||||
+
|
||||
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
|
||||
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.0.7/policy/modules/services/hal.if
|
||||
--- nsaserefpolicy/policy/modules/services/hal.if 2007-05-29 14:10:57.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/hal.if 2007-09-06 15:43:06.000000000 -0400
|
||||
@ -7386,7 +7389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.7/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-08-22 07:14:07.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/networkmanager.te 2007-09-06 15:43:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/networkmanager.te 2007-09-11 14:21:48.000000000 -0400
|
||||
@@ -20,7 +20,7 @@
|
||||
|
||||
# networkmanager will ptrace itself if gdb is installed
|
||||
@ -7405,7 +7408,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
corenet_all_recvfrom_unlabeled(NetworkManager_t)
|
||||
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
||||
corenet_tcp_sendrecv_all_if(NetworkManager_t)
|
||||
@@ -152,6 +154,11 @@
|
||||
@@ -136,6 +138,9 @@
|
||||
dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
|
||||
dbus_connect_system_bus(NetworkManager_t)
|
||||
dbus_send_system_bus(NetworkManager_t)
|
||||
+ optional_policy(`
|
||||
+ rpm_dbus_chat(NetworkManager_t)
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -152,6 +157,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -7417,7 +7430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
|
||||
ppp_domtrans(NetworkManager_t)
|
||||
ppp_read_pid_files(NetworkManager_t)
|
||||
ppp_signal(NetworkManager_t)
|
||||
@@ -166,8 +173,10 @@
|
||||
@@ -166,8 +176,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9669,7 +9682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te
|
||||
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te 2007-09-11 11:09:25.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te 2007-09-11 15:24:02.000000000 -0400
|
||||
@@ -33,7 +33,6 @@
|
||||
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
@ -9705,13 +9718,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
|
||||
selinux_get_enforce_mode(setroubleshootd_t)
|
||||
selinux_validate_context(setroubleshootd_t)
|
||||
|
||||
@@ -109,5 +114,7 @@
|
||||
@@ -109,5 +114,8 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_use_ypbind(setroubleshootd_t)
|
||||
+ dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
|
||||
+ dbus_send_system_bus(setroubleshootd_t)
|
||||
+ dbus_connect_system_bus(setroubleshootd_t)
|
||||
')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.0.7/policy/modules/services/snmp.fc
|
||||
@ -11302,8 +11316,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
|
||||
+/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.if serefpolicy-3.0.7/policy/modules/system/brctl.if
|
||||
--- nsaserefpolicy/policy/modules/system/brctl.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/brctl.if 2007-09-06 15:43:06.000000000 -0400
|
||||
@@ -0,0 +1,25 @@
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/brctl.if 2007-09-11 14:23:37.000000000 -0400
|
||||
@@ -0,0 +1,43 @@
|
||||
+
|
||||
+## <summary>Utilities for configuring the linux ethernet bridge</summary>
|
||||
+
|
||||
@ -11329,6 +11343,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
|
||||
+ allow brctl_t $1:fifo_file rw_file_perms;
|
||||
+ allow brctl_t $1:process sigchld;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Get attributes brctl executable.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`brctl_getattr',`
|
||||
+ gen_require(`
|
||||
+ type brctl_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 brctl_exec_t:file getattr;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.7/policy/modules/system/brctl.te
|
||||
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/brctl.te 2007-09-10 08:59:32.000000000 -0400
|
||||
@ -15418,7 +15450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.7/policy/modules/system/xen.te
|
||||
--- nsaserefpolicy/policy/modules/system/xen.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/xen.te 2007-09-07 08:48:47.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/xen.te 2007-09-11 14:25:59.000000000 -0400
|
||||
@@ -95,7 +95,7 @@
|
||||
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
|
||||
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
|
||||
@ -15428,7 +15460,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
dev_filetrans(xend_t, xenctl_t, fifo_file)
|
||||
|
||||
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
|
||||
@@ -126,7 +126,7 @@
|
||||
@@ -122,11 +122,13 @@
|
||||
manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
|
||||
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
|
||||
|
||||
+init_stream_connect_script(xend_t)
|
||||
+
|
||||
# transition to store
|
||||
domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
|
||||
allow xenstored_t xend_t:fd use;
|
||||
allow xenstored_t xend_t:process sigchld;
|
||||
@ -15437,7 +15475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
|
||||
# transition to console
|
||||
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
|
||||
@@ -176,6 +176,7 @@
|
||||
@@ -176,6 +178,7 @@
|
||||
files_manage_etc_runtime_files(xend_t)
|
||||
files_etc_filetrans_etc_runtime(xend_t,file)
|
||||
files_read_usr_files(xend_t)
|
||||
@ -15445,7 +15483,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
|
||||
storage_raw_read_fixed_disk(xend_t)
|
||||
storage_raw_write_fixed_disk(xend_t)
|
||||
@@ -224,7 +225,7 @@
|
||||
@@ -214,6 +217,10 @@
|
||||
netutils_domtrans(xend_t)
|
||||
|
||||
optional_policy(`
|
||||
+ brctl_getattr(xend_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
consoletype_exec(xend_t)
|
||||
')
|
||||
|
||||
@@ -224,7 +231,7 @@
|
||||
|
||||
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
|
||||
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -15454,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
|
||||
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
|
||||
|
||||
@@ -257,7 +258,7 @@
|
||||
@@ -257,7 +264,7 @@
|
||||
|
||||
miscfiles_read_localization(xenconsoled_t)
|
||||
|
||||
@ -15463,7 +15512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
xen_stream_connect_xenstore(xenconsoled_t)
|
||||
|
||||
########################################
|
||||
@@ -265,7 +266,7 @@
|
||||
@@ -265,7 +272,7 @@
|
||||
# Xen store local policy
|
||||
#
|
||||
|
||||
@ -15472,7 +15521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow xenstored_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@@ -318,12 +319,13 @@
|
||||
@@ -318,12 +325,13 @@
|
||||
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
|
||||
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
@ -15487,7 +15536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
files_search_var_lib(xm_t)
|
||||
|
||||
allow xm_t xen_image_t:dir rw_dir_perms;
|
||||
@@ -336,6 +338,7 @@
|
||||
@@ -336,6 +344,7 @@
|
||||
kernel_write_xen_state(xm_t)
|
||||
|
||||
corecmd_exec_bin(xm_t)
|
||||
@ -15495,7 +15544,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
|
||||
corenet_tcp_sendrecv_generic_if(xm_t)
|
||||
corenet_tcp_sendrecv_all_nodes(xm_t)
|
||||
@@ -366,3 +369,14 @@
|
||||
@@ -353,6 +362,7 @@
|
||||
|
||||
term_use_all_terms(xm_t)
|
||||
|
||||
+init_stream_connect_script(xm_t)
|
||||
init_rw_script_stream_sockets(xm_t)
|
||||
init_use_fds(xm_t)
|
||||
|
||||
@@ -366,3 +376,14 @@
|
||||
xen_append_log(xm_t)
|
||||
xen_stream_connect(xm_t)
|
||||
xen_stream_connect_xenstore(xm_t)
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.7
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -362,6 +362,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Sep 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-10
|
||||
- Allow NetworkManager to dbus chat with yum-updated
|
||||
|
||||
* Tue Sep 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-9
|
||||
- Allow xfs to bind to port 7100
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user