[selinux-policy: 832/3172] hide broken symptoms
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:17:00 UTC 2010
commit 3df88de0ba0e1ebc0ffa34266942fa7f95aec754
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Oct 24 22:55:28 2005 +0000
hide broken symptoms
refpolicy/policy/modules/services/cups.if | 18 ++++++++++++++++++
refpolicy/policy/modules/services/samba.te | 10 +++++++++-
refpolicy/policy/modules/system/selinuxutil.te | 2 +-
refpolicy/policy/modules/system/sysnetwork.te | 2 +-
4 files changed, 29 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index 02c323e..d1e86d0 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -1 +1,19 @@
## <summary>Common UNIX printing system</summary>
+
+########################################
+## <summary>
+## Read cups-writable configuration files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cups_read_rw_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 cupsd_etc_t:dir search_dir_perms;
+ allow $1 cupsd_rw_etc_t:file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index c6e77e8..28efc5a 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -208,6 +208,8 @@ allow smbd_t smbd_var_run_t:file create_file_perms;
allow smbd_t smbd_var_run_t:sock_file create_file_perms;
files_create_pid(smbd_t,smbd_var_run_t)
+allow smbd_t winbind_var_run_t:sock_file { read write getattr };
+
kernel_getattr_core(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
@@ -281,6 +283,10 @@ tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')
+optional_policy(`cups.te',`
+ cups_read_rw_config(smbd_t)
+')
+
optional_policy(`kerberos.te',`
kerberos_use(smbd_t)
')
@@ -305,11 +311,13 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(smbd_t)
')
+') dnl end TODO
+
ifdef(`hide_broken_symptoms', `
dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
dontaudit smbd_t devpts_t:dir getattr;
')
-')
+allow smbd_t mtrr_device_t:file getattr;
########################################
#
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 071446b..33cf4ee 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -342,7 +342,7 @@ ifdef(`distro_redhat', `
')
ifdef(`hide_broken_symptoms',`
- udev_donaudit_rw_unix_dgram_socket(restorecon_t)
+ udev_dontaudit_rw_unix_dgram_socket(restorecon_t)
')
optional_policy(`hotplug.te',`
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index d181cf9..631a5fe 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -329,7 +329,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`udev.te',`
- udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
+ udev_dontaudit_rw_unix_dgram_socket(ifconfig_t)
')
')
More information about the scm-commits
mailing list