[selinux-policy: 1296/3172] fixes from thomas bleher Fri, 24 Mar 2006 13:25:54 +0100

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:57:17 UTC 2010 

commit 8b2d5ca6db8728268b00f06bdab25549516d6159
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Mar 24 16:48:35 2006 +0000

    fixes from thomas bleher Fri, 24 Mar 2006 13:25:54 +0100

 refpolicy/Changelog                             |    1 +
 refpolicy/policy/modules/services/cups.te       |    7 ++++++-
 refpolicy/policy/modules/services/postgresql.fc |    4 ++++
 refpolicy/policy/modules/services/xfs.fc        |    1 +
 refpolicy/policy/modules/services/xserver.fc    |    3 +++
 refpolicy/policy/modules/system/init.te         |    6 ++++--
 refpolicy/policy/modules/system/selinuxutil.te  |    4 +++-
 7 files changed, 22 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 2aa3642..33d8754 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Miscellaneous fixes from Thomas Bleher.
 - Deprecate module name as first parameter of optional_policy()
   now that optionals are allowed everywhere.
 - Enable optional blocks in base module and monolithic policy.
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index cc38a0c..0c5fe40 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -32,7 +32,8 @@ logging_log_file(cupsd_log_t)
 
 type cupsd_lpd_t;
 type cupsd_lpd_exec_t;
-inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+domain_type(cupsd_lpd_t)
+domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t)
 role system_r types cupsd_lpd_t;
 
 type cupsd_lpd_tmp_t;
@@ -725,6 +726,10 @@ miscfiles_read_localization(cupsd_lpd_t)
 sysnet_read_config(cupsd_lpd_t)
 
 optional_policy(`
+	inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(cupsd_lpd_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/postgresql.fc b/refpolicy/policy/modules/services/postgresql.fc
index 66acc36..a77d9eb 100644
--- a/refpolicy/policy/modules/services/postgresql.fc
+++ b/refpolicy/policy/modules/services/postgresql.fc
@@ -14,6 +14,10 @@
 
 /usr/lib(64)?/postgresql/bin/.* --	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
+ifdef(`distro_debian', `
+/usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
+
 ifdef(`distro_redhat', `
 /usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 ')
diff --git a/refpolicy/policy/modules/services/xfs.fc b/refpolicy/policy/modules/services/xfs.fc
index e5d320e..8e70038 100644
--- a/refpolicy/policy/modules/services/xfs.fc
+++ b/refpolicy/policy/modules/services/xfs.fc
@@ -1,6 +1,7 @@
 
 /tmp/\.font-unix(/.*)?		gen_context(system_u:object_r:xfs_tmp_t,s0)
 
+/usr/bin/xfs		--	gen_context(system_u:object_r:xfs_exec_t,s0)
 /usr/bin/xfstt		--	gen_context(system_u:object_r:xfs_exec_t,s0)
 
 /usr/X11R6/bin/xfs	--	gen_context(system_u:object_r:xfs_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index d0ba416..3d19691 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -55,6 +55,9 @@ ifdef(`strict_policy',`
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth    	--      gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+ifdef(`distro_debian', `
+/usr/sbin/gdm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+')
 
 /usr/lib(64)?/qt-.*/etc/settings(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9ab09cc..1dc2d5a 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -380,8 +380,6 @@ seutil_read_config(initrc_t)
 
 sysnet_read_config(initrc_t)
 
-udev_rw_db(initrc_t)
-
 userdom_read_all_users_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the 
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
@@ -709,6 +707,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	udev_rw_db(initrc_t)
+')
+
+optional_policy(`
 	uml_setattr_util_sockets(initrc_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 54a4013..632acdb 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -395,7 +395,9 @@ ifdef(`distro_redhat', `
 ')
 
 ifdef(`hide_broken_symptoms',`
-	udev_dontaudit_rw_dgram_sockets(restorecon_t)
+	optional_policy(`
+		udev_dontaudit_rw_dgram_sockets(restorecon_t)
+	')
 ')
 
 optional_policy(`

More information about the scm-commits mailing list