From d1c6ba20d583299341917ba381e828ef742ef28a Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 4 Oct 2010 14:45:52 -0400 Subject: [PATCH] Start adding support for use_fusefs_home_dirs Add /var/lib/syslog directory file context Add /etc/localtime as locale file context --- policy/global_tunables | 7 +++++++ policy/modules/apps/mozilla.te | 1 + policy/modules/services/xserver.te | 26 ++++++++++++++++++++++++-- policy/modules/system/logging.fc | 1 + policy/modules/system/miscfiles.fc | 1 + 5 files changed, 34 insertions(+), 2 deletions(-) diff --git a/policy/global_tunables b/policy/global_tunables index f85244d2..6e82b1ea 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -87,6 +87,13 @@ gen_tunable(use_nfs_home_dirs,false) ## gen_tunable(use_samba_home_dirs,false) +## +##

+## Support fusefs home directories +##

+##
+gen_tunable(use_fusefs_home_dirs,false) + ## ##

## Allow users to run TCP servers (bind to ports and accept connection from diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index cc87b60b..d4cb9c42 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -369,6 +369,7 @@ userdom_dontaudit_use_user_ptys(mozilla_plugin_t) userdom_manage_user_tmp_sockets(mozilla_plugin_t) userdom_list_user_tmp(mozilla_plugin_t) +userdom_manage_user_tmp_dirs(mozilla_plugin_t) userdom_read_user_tmp_files(mozilla_plugin_t) userdom_read_user_tmp_symlinks(mozilla_plugin_t) userdom_read_user_home_content_files(mozilla_plugin_t) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index f37e8ae6..44cd7383 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -280,6 +280,10 @@ userdom_use_user_terminals(iceauth_t) userdom_read_user_tmp_files(iceauth_t) userdom_read_all_users_state(iceauth_t) +tunable_policy(`use_fusefs_home_dirs',` + fs_manage_fusefs_files(iceauth_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) ') @@ -369,6 +373,11 @@ ifdef(`hide_broken_symptoms',` miscfiles_read_fonts(xauth_t) ') +tunable_policy(`use_fusefs_home_dirs',` + fs_manage_fusefs_files(xauth_t) + fs_read_fusefs_symlinks(xauth_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(xauth_t) fs_read_nfs_symlinks(xauth_t) @@ -661,6 +670,13 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') +tunable_policy(`use_fusefs_home_dirs',` + fs_manage_fusefs_dirs(xdm_t) + fs_manage_fusefs_files(xdm_t) + fs_manage_fusefs_symlinks(xdm_t) + fs_exec_fusefs_files(xdm_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) fs_manage_nfs_files(xdm_t) @@ -1151,6 +1167,12 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') +tunable_policy(`use_fusefs_home_dirs',` + fs_manage_fusefs_dirs(xserver_t) + fs_manage_fusefs_files(xserver_t) + fs_manage_fusefs_symlinks(xserver_t) +') + tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) @@ -1338,8 +1360,8 @@ tunable_policy(`use_nfs_home_dirs',` fs_append_nfs_files(xdmhomewriter) ') -tunable_policy(`use_samba_home_dirs',` - fs_append_cifs_files(xdmhomewriter) +tunable_policy(`use_nfs_home_dirs',` + fs_append_nfs_files(xdmhomewriter) ') optional_policy(` diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index a76d2fcd..ca6409ce 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -29,6 +29,7 @@ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) +/var/lib/syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) ifdef(`distro_suse', ` diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 1f0ccfd3..a8bd9fe9 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -10,6 +10,7 @@ ifdef(`distro_gentoo',` # /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) +/etc/timezone -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)