Allow firewallgui to sys_rawio which seems to be required to setup masqerading

Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba. Add label for /var/log/slim.log
2010-09-25 06:23:04 -04:00 · 2010-09-25 06:23:04 -04:00 · fb52482a1f
commit fb52482a1f
parent f7307c60ba
3 changed files with 5 additions and 2 deletions
--- a/policy/modules/apps/firewallgui.te
+++ b/policy/modules/apps/firewallgui.te
@ -17,8 +17,7 @@ files_tmp_file(firewallgui_tmp_t)
 # firewallgui local policy
 #

-allow firewallgui_t self:capability net_admin;
-
+allow firewallgui_t self:capability { net_admin sys_rawio } ;
 allow firewallgui_t self:fifo_file rw_fifo_file_perms;

 manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@ -121,6 +121,9 @@ term_use_controlling_term(domain)

 # list the root directory
 files_list_root(domain)
+# allow all domains to search through default_t directory, since users sometimes
+# place labels within these directories.  (samba_share_t) for example.
+files_search_default(domain)

 # All executables should be able to search the directory they are in
 corecmd_search_bin(domain)
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@ -106,6 +106,7 @@ ifdef(`distro_debian', `
 /var/cache/gdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)

 /var/log/gdm(/.*)?		gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 /var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 /var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)