[selinux-policy: 1296/3172] fixes from thomas bleher Fri, 24 Mar 2006 13:25:54 +0100
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:57:17 UTC 2010
commit 8b2d5ca6db8728268b00f06bdab25549516d6159
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Mar 24 16:48:35 2006 +0000
fixes from thomas bleher Fri, 24 Mar 2006 13:25:54 +0100
refpolicy/Changelog | 1 +
refpolicy/policy/modules/services/cups.te | 7 ++++++-
refpolicy/policy/modules/services/postgresql.fc | 4 ++++
refpolicy/policy/modules/services/xfs.fc | 1 +
refpolicy/policy/modules/services/xserver.fc | 3 +++
refpolicy/policy/modules/system/init.te | 6 ++++--
refpolicy/policy/modules/system/selinuxutil.te | 4 +++-
7 files changed, 22 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 2aa3642..33d8754 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Miscellaneous fixes from Thomas Bleher.
- Deprecate module name as first parameter of optional_policy()
now that optionals are allowed everywhere.
- Enable optional blocks in base module and monolithic policy.
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index cc38a0c..0c5fe40 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -32,7 +32,8 @@ logging_log_file(cupsd_log_t)
type cupsd_lpd_t;
type cupsd_lpd_exec_t;
-inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+domain_type(cupsd_lpd_t)
+domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t)
role system_r types cupsd_lpd_t;
type cupsd_lpd_tmp_t;
@@ -725,6 +726,10 @@ miscfiles_read_localization(cupsd_lpd_t)
sysnet_read_config(cupsd_lpd_t)
optional_policy(`
+ inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+')
+
+optional_policy(`
nis_use_ypbind(cupsd_lpd_t)
')
diff --git a/refpolicy/policy/modules/services/postgresql.fc b/refpolicy/policy/modules/services/postgresql.fc
index 66acc36..a77d9eb 100644
--- a/refpolicy/policy/modules/services/postgresql.fc
+++ b/refpolicy/policy/modules/services/postgresql.fc
@@ -14,6 +14,10 @@
/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ifdef(`distro_debian', `
+/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
+
ifdef(`distro_redhat', `
/usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
')
diff --git a/refpolicy/policy/modules/services/xfs.fc b/refpolicy/policy/modules/services/xfs.fc
index e5d320e..8e70038 100644
--- a/refpolicy/policy/modules/services/xfs.fc
+++ b/refpolicy/policy/modules/services/xfs.fc
@@ -1,6 +1,7 @@
/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0)
+/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0)
/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index d0ba416..3d19691 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -55,6 +55,9 @@ ifdef(`strict_policy',`
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+ifdef(`distro_debian', `
+/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+')
/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9ab09cc..1dc2d5a 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -380,8 +380,6 @@ seutil_read_config(initrc_t)
sysnet_read_config(initrc_t)
-udev_rw_db(initrc_t)
-
userdom_read_all_users_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
@@ -709,6 +707,10 @@ optional_policy(`
')
optional_policy(`
+ udev_rw_db(initrc_t)
+')
+
+optional_policy(`
uml_setattr_util_sockets(initrc_t)
')
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 54a4013..632acdb 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -395,7 +395,9 @@ ifdef(`distro_redhat', `
')
ifdef(`hide_broken_symptoms',`
- udev_dontaudit_rw_dgram_sockets(restorecon_t)
+ optional_policy(`
+ udev_dontaudit_rw_dgram_sockets(restorecon_t)
+ ')
')
optional_policy(`
More information about the scm-commits
mailing list