testing fixes

This commit is contained in:
Chris PeBenito 2006-08-18 18:20:22 +00:00
parent 4bc6e32e28
commit e9b9e45214
12 changed files with 51 additions and 14 deletions

View File

@ -103,6 +103,8 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')

View File

@ -1,5 +1,5 @@
policy_module(corecommands,1.3.11)
policy_module(corecommands,1.3.12)
########################################
#

View File

@ -12,7 +12,6 @@
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
@ -99,6 +98,12 @@ ifdef(`distro_suse', `
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(devices,1.1.16)
policy_module(devices,1.1.17)
########################################
#

View File

@ -1,8 +1,9 @@
/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0)
/dev/[pt]ty[a-ep-z][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0)
/dev/adb.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/capi.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
/dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
@ -29,4 +30,7 @@
ifdef(`distro_gentoo',`
/dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')

View File

@ -1,5 +1,5 @@
policy_module(terminal,1.1.2)
policy_module(terminal,1.1.3)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(init,1.3.19)
policy_module(init,1.3.20)
gen_require(`
class passwd rootok;
@ -397,6 +397,11 @@ ifdef(`distro_debian',`
')
ifdef(`distro_gentoo',`
# needed until baselayout is fixed to have the
# restorecon on /dev to again be immediately after
# mounting tmpfs on /dev
fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
optional_policy(`
arpwatch_manage_data_files(initrc_t)
')

View File

@ -64,8 +64,20 @@ ifdef(`distro_gentoo',`
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they're actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api gen_context(system_u:object_r:shlib_t,s0)
/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.api gen_context(system_u:object_r:shlib_t,s0)
/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/RealPlayer/codecs/.*\.so gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/RealPlayer/common/.*\.so gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/RealPlayer/lib/.*\.so gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/RealPlayer/mozilla/.*\.so gen_context(system_u:object_r:shlib_t,s0)
')
#

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.3.10)
policy_module(libraries,1.3.11)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(logging,1.3.8)
policy_module(logging,1.3.9)
########################################
#
@ -255,11 +255,13 @@ optional_policy(`
# syslogd local policy
#
# sys_admin chown fsetid for syslog-ng
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
allow syslogd_t self:process signal_perms;
# setpgid for metalog
allow syslogd_t self:process { signal_perms setpgid };
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;

View File

@ -2,6 +2,12 @@
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
ifdef(`distro_gentoo',`
# gentoo init scripts still manage this file
# even if devfs is off
/etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0)
')
/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
@ -12,5 +18,6 @@
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(modutils,1.1.3)
policy_module(modutils,1.1.4)
gen_require(`
bool secure_mode_insmod;
@ -68,7 +68,7 @@ files_read_kernel_modules(insmod_t)
# for locking: (cjp: ????)
files_write_kernel_modules(insmod_t)
dev_search_sysfs(insmod_t)
dev_read_sysfs(insmod_t)
dev_search_usbfs(insmod_t)
dev_rw_mtrr(insmod_t)
dev_read_urand(insmod_t)