- Allow devicekit_disk to list inotify
This commit is contained in:
Daniel J Walsh
parent
4816e90c52
commit
e21330348f
@ -1142,6 +1142,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
miscfiles_read_localization(awstats_t)
|
||||
|
||||
sysnet_dns_name_resolve(awstats_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.26/policy/modules/apps/calamaris.te
|
||||
--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/apps/calamaris.te 2009-08-05 16:42:44.000000000 -0400
|
||||
@@ -84,3 +84,7 @@
|
||||
optional_policy(`
|
||||
nis_use_ypbind(calamaris_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ nscd_socket_use(calamaris_t)
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.26/policy/modules/apps/cpufreqselector.te
|
||||
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-07-28 13:28:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/apps/cpufreqselector.te 2009-07-30 15:33:08.000000000 -0400
|
||||
@ -4932,7 +4943,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.26/policy/modules/kernel/files.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-07-30 15:33:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-05 17:20:50.000000000 -0400
|
||||
@@ -110,6 +110,11 @@
|
||||
## </param>
|
||||
#
|
||||
@ -10117,7 +10128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow $1 devicekit_t:process { ptrace signal_perms getattr };
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.26/policy/modules/services/devicekit.te
|
||||
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-07-30 15:33:08.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-05 16:52:16.000000000 -0400
|
||||
@@ -36,12 +36,15 @@
|
||||
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
@ -10155,7 +10166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_setsched(devicekit_disk_t)
|
||||
|
||||
corecmd_exec_bin(devicekit_disk_t)
|
||||
@@ -79,11 +86,13 @@
|
||||
@@ -79,21 +86,26 @@
|
||||
dev_rw_sysfs(devicekit_disk_t)
|
||||
dev_read_urand(devicekit_disk_t)
|
||||
dev_getattr_usbfs_dirs(devicekit_disk_t)
|
||||
@ -10167,9 +10178,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_read_usr_files(devicekit_disk_t)
|
||||
+files_manage_isid_type_dirs(devicekit_disk_t)
|
||||
|
||||
+fs_list_inotifyfs(devicekit_disk_t)
|
||||
+fs_manage_fusefs_dirs(devicekit_disk_t)
|
||||
fs_mount_all_fs(devicekit_disk_t)
|
||||
fs_unmount_all_fs(devicekit_disk_t)
|
||||
@@ -94,6 +103,8 @@
|
||||
-fs_manage_fusefs_dirs(devicekit_disk_t)
|
||||
|
||||
storage_raw_read_fixed_disk(devicekit_disk_t)
|
||||
storage_raw_write_fixed_disk(devicekit_disk_t)
|
||||
storage_raw_read_removable_device(devicekit_disk_t)
|
||||
storage_raw_write_removable_device(devicekit_disk_t)
|
||||
|
||||
@ -10178,7 +10194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
auth_use_nsswitch(devicekit_disk_t)
|
||||
|
||||
miscfiles_read_localization(devicekit_disk_t)
|
||||
@@ -110,6 +121,7 @@
|
||||
@@ -110,6 +122,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10186,7 +10202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
policykit_domtrans_auth(devicekit_disk_t)
|
||||
policykit_read_lib(devicekit_disk_t)
|
||||
policykit_read_reload(devicekit_disk_t)
|
||||
@@ -134,6 +146,19 @@
|
||||
@@ -134,6 +147,19 @@
|
||||
udev_read_db(devicekit_disk_t)
|
||||
')
|
||||
|
||||
@ -10206,7 +10222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# DeviceKit-Power local policy
|
||||
@@ -142,6 +167,7 @@
|
||||
@@ -142,6 +168,7 @@
|
||||
allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
|
||||
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
|
||||
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -10214,7 +10230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
@@ -151,6 +177,7 @@
|
||||
@@ -151,6 +178,7 @@
|
||||
kernel_read_system_state(devicekit_power_t)
|
||||
kernel_rw_hotplug_sysctls(devicekit_power_t)
|
||||
kernel_rw_kernel_sysctl(devicekit_power_t)
|
||||
@ -10222,7 +10238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_bin(devicekit_power_t)
|
||||
corecmd_exec_shell(devicekit_power_t)
|
||||
@@ -159,6 +186,7 @@
|
||||
@@ -159,6 +187,7 @@
|
||||
|
||||
domain_read_all_domains_state(devicekit_power_t)
|
||||
|
||||
@ -10230,7 +10246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_rw_generic_usb_dev(devicekit_power_t)
|
||||
dev_rw_netcontrol(devicekit_power_t)
|
||||
dev_rw_sysfs(devicekit_power_t)
|
||||
@@ -180,8 +208,11 @@
|
||||
@@ -180,8 +209,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10243,7 +10259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow devicekit_power_t devicekit_t:dbus send_msg;
|
||||
|
||||
optional_policy(`
|
||||
@@ -203,17 +234,23 @@
|
||||
@@ -203,17 +235,23 @@
|
||||
|
||||
optional_policy(`
|
||||
hal_domtrans_mac(devicekit_power_t)
|
||||
@ -10709,7 +10725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.26/policy/modules/services/hal.te
|
||||
--- nsaserefpolicy/policy/modules/services/hal.te 2009-07-28 13:28:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/hal.te 2009-08-04 05:57:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/hal.te 2009-08-05 17:09:21.000000000 -0400
|
||||
@@ -55,6 +55,9 @@
|
||||
type hald_var_lib_t;
|
||||
files_type(hald_var_lib_t)
|
||||
@ -10803,10 +10819,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow hald_dccm_t self:process getsched;
|
||||
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
|
||||
allow hald_dccm_t self:udp_socket create_socket_perms;
|
||||
@@ -469,10 +491,17 @@
|
||||
@@ -469,10 +491,22 @@
|
||||
manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
|
||||
files_search_var_lib(hald_dccm_t)
|
||||
|
||||
+manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
|
||||
+manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
|
||||
+manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
|
||||
+files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file })
|
||||
+
|
||||
+manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t)
|
||||
+files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file)
|
||||
+
|
||||
@ -10821,7 +10842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_all_recvfrom_unlabeled(hald_dccm_t)
|
||||
corenet_all_recvfrom_netlabel(hald_dccm_t)
|
||||
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
|
||||
@@ -484,6 +513,7 @@
|
||||
@@ -484,6 +518,7 @@
|
||||
corenet_tcp_bind_generic_node(hald_dccm_t)
|
||||
corenet_udp_bind_generic_node(hald_dccm_t)
|
||||
corenet_udp_bind_dhcpc_port(hald_dccm_t)
|
||||
@ -10829,7 +10850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_dccm_port(hald_dccm_t)
|
||||
|
||||
logging_send_syslog_msg(hald_dccm_t)
|
||||
@@ -491,3 +521,9 @@
|
||||
@@ -491,3 +526,9 @@
|
||||
files_read_usr_files(hald_dccm_t)
|
||||
|
||||
miscfiles_read_localization(hald_dccm_t)
|
||||
@ -13953,7 +13974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.26/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-07-29 15:15:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/rpc.te 2009-07-30 15:33:09.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/rpc.te 2009-08-05 17:22:27.000000000 -0400
|
||||
@@ -91,6 +91,8 @@
|
||||
|
||||
seutil_dontaudit_search_config(rpcd_t)
|
||||
@ -13990,6 +14011,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
dev_getattr_all_blk_files(nfsd_t)
|
||||
@@ -189,8 +197,10 @@
|
||||
fs_rw_rpc_sockets(gssd_t)
|
||||
fs_read_rpc_files(gssd_t)
|
||||
|
||||
+fs_list_inotifyfs(gssd_t)
|
||||
files_list_tmp(gssd_t)
|
||||
files_read_usr_symlinks(gssd_t)
|
||||
+files_dontaudit_write_var_dirs(gssd_t)
|
||||
|
||||
auth_use_nsswitch(gssd_t)
|
||||
auth_manage_cache(gssd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.26/policy/modules/services/rsync.te
|
||||
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/rsync.te 2009-07-30 15:33:09.000000000 -0400
|
||||
@ -16491,6 +16523,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Send and receive messages from
|
||||
## sssd over dbus.
|
||||
## </summary>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.26/policy/modules/services/sysstat.te
|
||||
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/sysstat.te 2009-08-05 17:06:04.000000000 -0400
|
||||
@@ -19,7 +19,7 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow sysstat_t self:capability { sys_resource sys_tty_config };
|
||||
+allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
|
||||
dontaudit sysstat_t self:capability sys_admin;
|
||||
allow sysstat_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.26/policy/modules/services/uucp.te
|
||||
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/uucp.te 2009-07-30 15:33:09.000000000 -0400
|
||||
@ -16533,7 +16577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.26/policy/modules/services/virt.if
|
||||
--- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-07-30 15:33:09.000000000 -0400
|
||||
+++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-05 16:59:48.000000000 -0400
|
||||
@@ -103,7 +103,7 @@
|
||||
|
||||
########################################
|
||||
@ -16631,7 +16675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## All of the rules required to administrate
|
||||
## an virt environment
|
||||
## </summary>
|
||||
@@ -327,3 +364,54 @@
|
||||
@@ -327,3 +364,56 @@
|
||||
|
||||
virt_manage_log($1)
|
||||
')
|
||||
@ -16664,6 +16708,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ files_tmpfs_file($1_tmpfs_t)
|
||||
+
|
||||
+ type $1_image_t, virt_image_type;
|
||||
+ files_type($1_image_t)
|
||||
+ dev_node($1_image_t)
|
||||
+
|
||||
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
|
||||
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.26
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -475,6 +475,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-6
|
||||
- Allow devicekit_disk to list inotify
|
||||
|
||||
* Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-5
|
||||
- Allow svirt images to create sock_file in svirt_var_run_t
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user