[selinux-policy: 1570/3172] fix for netfilter_contexts

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:20:55 UTC 2010 

commit 4bc6e32e2889aed59e9c5d17c25093ddcc83f54f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Aug 18 14:01:48 2006 +0000

    fix for netfilter_contexts

 policy/modules/system/selinuxutil.if |   29 ++++++++++++++++++++++++-----
 policy/modules/system/selinuxutil.te |    5 +++--
 2 files changed, 27 insertions(+), 7 deletions(-)
---
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 4e2f51b..1c59671 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -706,7 +706,6 @@ interface(`seutil_search_default_contexts',`
 	allow $1 { selinux_config_t default_context_t }:dir search;
 ')
 
-
 ########################################
 ## <summary>
 ##	Read the default_contexts files.
@@ -723,10 +722,30 @@ interface(`seutil_read_default_contexts',`
 	')
 
 	files_search_etc($1)
-	allow $1 selinux_config_t:dir search;
-	allow $1 default_context_t:dir r_dir_perms;
+	allow $1 selinux_config_t:dir search_dir_perms;
+	allow $1 default_context_t:dir list_dir_perms;
 	allow $1 default_context_t:file r_file_perms;
-	allow $1 default_context_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the default_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_manage_default_contexts',`
+	gen_require(`
+		type selinux_config_t, default_context_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search_dir_perms;
+	allow $1 default_context_t:dir rw_dir_perms;
+	allow $1 default_context_t:file manage_file_perms;
 ')
 
 ########################################
@@ -789,7 +808,7 @@ interface(`seutil_manage_file_contexts',`
 	')
 
 	files_search_etc($1)
-	allow $1 selinux_config_t:dir search_dir_perms;
+	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
 	allow $1 file_context_t:dir rw_dir_perms;
 	allow $1 file_context_t:file manage_file_perms;
 ')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 9488900..19bc01f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.10)
+policy_module(selinuxutil,1.2.11)
 
 ifdef(`strict_policy',`
 	gen_require(`
@@ -593,7 +593,6 @@ logging_send_syslog_msg(semanage_t)
 
 miscfiles_read_localization(semanage_t)
 
-seutil_search_default_contexts(semanage_t)
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_selinux_config(semanage_t)
 seutil_domtrans_setfiles(semanage_t)
@@ -604,6 +603,8 @@ seutil_use_newrole_fds(semanage_t)
 seutil_manage_module_store(semanage_t)
 seutil_get_semanage_trans_lock(semanage_t)
 seutil_get_semanage_read_lock(semanage_t)
+# netfilter_contexts:
+seutil_manage_default_contexts(semanage_t)
 
 userdom_search_sysadm_home_dirs(semanage_t)

More information about the scm-commits mailing list