[selinux-policy: 989/3172] patch from dan

Thu Oct 7 20:30:27 UTC 2010

commit af23450c36541e9834a708233c8a2e4802da0d2c
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Nov 23 19:02:40 2005 +0000

    patch from dan

 refpolicy/policy/modules/apps/webalizer.fc    |    2 +-
 refpolicy/policy/modules/apps/webalizer.te    |    2 +-
 refpolicy/policy/modules/kernel/filesystem.te |    3 ++-
 refpolicy/policy/modules/services/avahi.te    |    6 +++---
 refpolicy/policy/modules/services/cron.te     |   22 +++++++++++++---------
 refpolicy/policy/modules/services/ftp.fc      |    3 +--
 refpolicy/policy/modules/services/ftp.te      |    2 +-
 refpolicy/policy/modules/services/hal.if      |   17 +++++++++++++++++
 refpolicy/policy/modules/services/hal.te      |    3 ++-
 refpolicy/policy/modules/services/pegasus.te  |    3 ++-
 refpolicy/policy/modules/services/rpc.te      |    3 ++-
 refpolicy/policy/modules/system/mount.te      |    3 ---
 refpolicy/policy/modules/system/sysnetwork.te |    3 ++-
 13 files changed, 47 insertions(+), 25 deletions(-)
---

diff --git a/refpolicy/policy/modules/apps/webalizer.fc b/refpolicy/policy/modules/apps/webalizer.fc
index 6f0aa03..e4f7d30 100644
--- a/refpolicy/policy/modules/apps/webalizer.fc
+++ b/refpolicy/policy/modules/apps/webalizer.fc
@@ -7,4 +7,4 @@
 #
 # /var
 #
-/var/lib/webalizer(/.*)		gen_context(system_u:object_r:webalizer_var_lib_t,s0)
+/var/lib/webalizer(/.*)?	gen_context(system_u:object_r:webalizer_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index 4514a2e..cfaa1af 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -1,5 +1,5 @@
 
-policy_module(webalizer,1.0)
+policy_module(webalizer,1.0.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 85492d8..df2bf26 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.0)
+policy_module(filesystem,1.0.1)
 
 ########################################
 #
@@ -114,6 +114,7 @@ allow tmpfs_t noxattrfs:filesystem associate;
 #
 type autofs_t, noxattrfs;
 fs_type(autofs_t)
+files_mountpoint(autofs_t)
 genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
 genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
 
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index 07c2824..9f5060e 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.0)
+policy_module(avahi,1.0.1)
 
 ########################################
 #
@@ -18,9 +18,9 @@ files_pid_file(avahi_var_run_t)
 # Local policy
 #
 
-allow avahi_t self:capability { dac_override setgid chown kill setuid };
+allow avahi_t self:capability { dac_override setgid chown kill setuid sys_chroot };
 dontaudit avahi_t self:capability sys_tty_config;
-allow avahi_t self:process { setrlimit signal_perms };
+allow avahi_t self:process { setrlimit signal_perms setcap };
 allow avahi_t self:fifo_file { read write };
 allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow avahi_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index f23fbd0..8215185 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
 
-policy_module(cron, 1.0)
+policy_module(cron, 1.0.1)
 
 gen_require(`
 	class passwd rootok;
@@ -170,14 +170,8 @@ tunable_policy(`fcron_crond', `
 	allow crond_t system_cron_spool_t:file create_file_perms;
 ')
 
-optional_policy(`cyrus.te',`
-	cyrus_manage_data(system_crond_t)
-')
-
-optional_policy(`inn.te',`
-	inn_manage_log(system_crond_t)
-	inn_manage_pid(system_crond_t)
-	inn_read_config(system_crond_t)
+optional_policy(`hal.te',`
+	hal_dbus_send(crond_t)
 ')
 
 optional_policy(`nis.te',`
@@ -375,10 +369,20 @@ ifdef(`targeted_policy',`
 		seutil_read_file_contexts(system_crond_t)
 	')
 
+	optional_policy(`cyrus.te',`
+		cyrus_manage_data(system_crond_t)
+	')
+
 	optional_policy(`ftp.te',`
 		ftp_read_log(system_crond_t)
 	')
 
+	optional_policy(`inn.te',`
+		inn_manage_log(system_crond_t)
+		inn_manage_pid(system_crond_t)
+		inn_read_config(system_crond_t)
+	')
+
 	optional_policy(`mysql.te',`
 		mysql_read_config(system_crond_t)
 	')
diff --git a/refpolicy/policy/modules/services/ftp.fc b/refpolicy/policy/modules/services/ftp.fc
index 926bef8..40cd7ae 100644
--- a/refpolicy/policy/modules/services/ftp.fc
+++ b/refpolicy/policy/modules/services/ftp.fc
@@ -18,8 +18,7 @@
 #
 # /var
 #
-/var/run/proftpd/proftpd-inetd -- gen_context(system_u:object_r:ftpd_var_run_t,s0)
-/var/run/proftpd/proftpd\.scoreboard -- gen_context(system_u:object_r:ftpd_var_run_t,s0)
+/var/run/proftpd(/.*)? 		gen_context(system_u:object_r:ftpd_var_run_t,s0)
 
 /var/log/muddleftpd\.log.* --	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index d19d772..d70bcfd 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.0)
+policy_module(ftp,1.0.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
index 71a7a52..176811a 100644
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@@ -54,3 +54,20 @@ interface(`hal_stream_connect',`
 
 	allow $1 hald_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	Send a dbus message to hal.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`hal_dbus_send',`
+	gen_require(`
+		type hald_t;
+		class dbus send_msg;
+	')
+
+	allow $1 hald_t:dbus send_msg;
+')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 725485c..0ddb0ee 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.0)
+policy_module(hal,1.0.1)
 
 ########################################
 #
@@ -80,6 +80,7 @@ selinux_compute_relabel_context(hald_t)
 selinux_compute_user_contexts(hald_t)
 
 storage_raw_read_removable_device(hald_t)
+storage_raw_write_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
 storage_raw_write_fixed_disk(hald_t)
 
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
index 4efcce4..a33e21a 100644
--- a/refpolicy/policy/modules/services/pegasus.te
+++ b/refpolicy/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.0)
+policy_module(pegasus,1.0.1)
 
 ########################################
 #
@@ -79,6 +79,7 @@ auth_use_nsswitch(pegasus_t)
 auth_read_shadow(pegasus_t)
 
 domain_use_wide_inherit_fd(pegasus_t)
+domain_read_all_domains_state(pegasus_t)
 
 files_read_etc_files(pegasus_t)
 files_list_var_lib(pegasus_t)
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 0f207fb..eb1e24e 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.0)
+policy_module(rpc,1.0.1)
 
 ########################################
 #
@@ -31,6 +31,7 @@ files_config_file(nfsd_ro_t)
 
 type var_lib_nfs_t;
 files_config_file(var_lib_nfs_t)
+files_mountpoint(var_lib_nfs_t)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 98e6397..7fcb1ad 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -133,9 +133,6 @@ optional_policy(`samba.te',`
 ')
 
 ifdef(`TODO',`
-# this goes to the nfs/rpc module
-files_mountpoint(var_lib_nfs_t)
-
 # TODO: Need to examine this further. Not sure how to handle this
 #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
 #allow sysadm_t sysadm_mount_source_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 507905c..578129d 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.0)
+policy_module(sysnetwork,1.0.1)
 
 ########################################
 #
@@ -58,6 +58,7 @@ allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
 
 allow dhcpc_t dhcp_state_t:dir rw_dir_perms;
 allow dhcpc_t dhcp_state_t:file { getattr read };
+allow dhcpc_t dhcpc_state_t:dir rw_dir_perms;
 allow dhcpc_t dhcpc_state_t:file create_file_perms;
 type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
 
