[selinux-policy: 2843/3172] merge latest upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:13:05 UTC 2010
commit 898c0de0b7693cf689e18507449afd433cc7e616
Merge: ddcd5d6 76a9fe9
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Aug 30 13:41:40 2010 -0400
merge latest upstream
Changelog | 1 +
policy/modules/admin/readahead.te | 4 ++-
policy/modules/kernel/corecommands.te | 3 +-
policy/modules/kernel/devices.if | 57 ++++++++++++++++++++++++++++++++-
policy/modules/kernel/devices.te | 6 +++-
policy/modules/kernel/filesystem.te | 3 +-
policy/modules/kernel/kernel.te | 5 +--
policy/modules/system/hostname.te | 4 ++-
policy/modules/system/init.te | 6 ++-
policy/modules/system/mount.te | 4 ++-
10 files changed, 80 insertions(+), 13 deletions(-)
---
diff --cc policy/modules/kernel/devices.if
index d0aaa1c,8b09281..e896bf7
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@@ -551,24 -552,24 +588,42 @@@ interface(`dev_rw_generic_chr_files',
########################################
## <summary>
+## Read and write generic block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:blk_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+ ## Dontaudit attempts to read/write generic character device files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain to dontaudit access.
+ ## </summary>
+ ## </param>
+ #
+ interface(`dev_dontaudit_rw_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
## Create generic character device files.
## </summary>
## <param name="domain">
diff --cc policy/modules/system/hostname.te
index f1edb15,1fd31c1..683494c
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@@ -25,8 -25,9 +25,10 @@@ kernel_list_proc(hostname_t
kernel_read_proc_symlinks(hostname_t)
dev_read_sysfs(hostname_t)
+ # Early devtmpfs, before udev relabel
+ dev_dontaudit_rw_generic_chr_files(hostname_t)
+domain_dontaudit_leaks(hostname_t)
domain_use_interactive_fds(hostname_t)
files_read_etc_files(hostname_t)
diff --cc policy/modules/system/init.te
index a100eb6,abab4cf..9f9b812
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@@ -145,7 -119,8 +144,9 @@@ corecmd_exec_chroot(init_t
corecmd_exec_bin(init_t)
dev_read_sysfs(init_t)
+dev_read_urand(init_t)
+ # Early devtmpfs
+ dev_rw_generic_chr_files(init_t)
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
@@@ -402,6 -291,6 +403,7 @@@ dev_read_sound_mixer(initrc_t
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
++dev_rw_generic_chr_files(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
diff --cc policy/modules/system/mount.te
index e36909c,fca6947..24ffd8a
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@@ -99,12 -59,10 +99,14 @@@ dev_rw_lvm_control(mount_t
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
+ifdef(`hide_broken_symptoms',`
+ dev_rw_generic_blk_files(mount_t)
+')
+ # Early devtmpfs, before udev relabel
+ dev_dontaudit_rw_generic_chr_files(mount_t)
domain_use_interactive_fds(mount_t)
+domain_dontaudit_search_all_domains_state(mount_t)
files_search_all(mount_t)
files_read_etc_files(mount_t)
More information about the scm-commits
mailing list