testing fixes

2006-08-18 18:20:22 +00:00 · 2006-08-18 18:20:22 +00:00 · e9b9e45214
commit e9b9e45214
parent 4bc6e32e28
12 changed files with 51 additions and 14 deletions
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@ -103,6 +103,8 @@ ifdef(`distro_gentoo',`
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)

 ifdef(`distro_gentoo',`
+/opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
+/opt/RealPlayer/postint(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')

--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@ -1,5 +1,5 @@

-policy_module(corecommands,1.3.11)
+policy_module(corecommands,1.3.12)

 ########################################
 #
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@ -12,7 +12,6 @@
 /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
-/dev/console		-c	gen_context(system_u:object_r:console_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
@ -99,6 +98,12 @@ ifdef(`distro_suse', `

 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)

+ifdef(`distro_gentoo',`
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
+/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
+')
+
 ifdef(`distro_redhat',`
 # originally from named.fc
 /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@

-policy_module(devices,1.1.16)
+policy_module(devices,1.1.17)

 ########################################
 #
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@ -1,8 +1,9 @@

 /dev/.*tty[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
-/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c gen_context(system_u:object_r:bsdpty_device_t,s0)
+/dev/[pt]ty[a-ep-z][0-9a-f] -c	gen_context(system_u:object_r:bsdpty_device_t,s0)
 /dev/adb.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/capi.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/console		-c	gen_context(system_u:object_r:console_device_t,s0)
 /dev/cu.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/dcbri[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/hvc.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
@ -29,4 +30,7 @@

 ifdef(`distro_gentoo',`
 /dev/tts/[0-9]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices/console -c	gen_context(system_u:object_r:console_device_t,s0)
 ')
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@ -1,5 +1,5 @@

-policy_module(terminal,1.1.2)
+policy_module(terminal,1.1.3)

 ########################################
 #
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -1,5 +1,5 @@

-policy_module(init,1.3.19)
+policy_module(init,1.3.20)

 gen_require(`
 	class passwd rootok;
@ -397,6 +397,11 @@ ifdef(`distro_debian',`
 ')

 ifdef(`distro_gentoo',`
+	# needed until baselayout is fixed to have the
+	# restorecon on /dev to again be immediately after
+	# mounting tmpfs on /dev
+	fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
+
 	optional_policy(`
 		arpwatch_manage_data_files(initrc_t)
 	')
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@ -64,8 +64,20 @@ ifdef(`distro_gentoo',`
 /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)

 ifdef(`distro_gentoo',`
+# despite the extensions, they're actually libs
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api gen_context(system_u:object_r:shlib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.api gen_context(system_u:object_r:shlib_t,s0)
+
 /opt/netscape/plugins/libflashplayer\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/netscape/plugins/nppdf\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/RealPlayer/codecs(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/codecs/.*\.so			gen_context(system_u:object_r:shlib_t,s0)
+/opt/RealPlayer/common(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/common/.*\.so			gen_context(system_u:object_r:shlib_t,s0)
+/opt/RealPlayer/lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/lib/.*\.so			gen_context(system_u:object_r:shlib_t,s0)
+/opt/RealPlayer/mozilla(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/mozilla/.*\.so			gen_context(system_u:object_r:shlib_t,s0)
 ')

 #
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@ -1,5 +1,5 @@

-policy_module(libraries,1.3.10)
+policy_module(libraries,1.3.11)

 ########################################
 #
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -1,5 +1,5 @@

-policy_module(logging,1.3.8)
+policy_module(logging,1.3.9)

 ########################################
 #
@ -255,11 +255,13 @@ optional_policy(`
 # syslogd local policy
 #

-# sys_admin chown fsetid for syslog-ng
+# chown fsetid for syslog-ng
+# sys_admin for the integrated klog of syslog-ng and metalog
 # cjp: why net_admin!
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
 dontaudit syslogd_t self:capability sys_tty_config;
-allow syslogd_t self:process signal_perms;
+# setpgid for metalog
+allow syslogd_t self:process { signal_perms setpgid };
 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@ -2,6 +2,12 @@
 /etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 /etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)

+ifdef(`distro_gentoo',`
+# gentoo init scripts still manage this file
+# even if devfs is off
+/etc/modprobe.devfs.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+')
+
 /lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
 /lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)

@ -12,5 +18,6 @@
 /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
 /sbin/insmod.*		--	gen_context(system_u:object_r:insmod_exec_t,s0)
 /sbin/modprobe.*	--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/modules-update	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 /sbin/rmmod.*		--	gen_context(system_u:object_r:insmod_exec_t,s0)
 /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@ -1,5 +1,5 @@

-policy_module(modutils,1.1.3)
+policy_module(modutils,1.1.4)

 gen_require(`
 	bool secure_mode_insmod;
@ -68,7 +68,7 @@ files_read_kernel_modules(insmod_t)
 # for locking: (cjp: ????)
 files_write_kernel_modules(insmod_t)

-dev_search_sysfs(insmod_t)
+dev_read_sysfs(insmod_t)
 dev_search_usbfs(insmod_t)
 dev_rw_mtrr(insmod_t)
 dev_read_urand(insmod_t)