[selinux-policy/f13/master] - Add other fixes for spice - Add label for dev/hpilo/*
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 9 15:01:58 UTC 2011
commit 83444c391cd2529923a4ea7edfaf57fc34a3a300
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Mar 9 16:01:55 2011 +0000
- Add other fixes for spice
- Add label for dev/hpilo/*
policy-F13.patch | 90 ++++++++++++++++++++++++++++++++++++++++++++++++---
selinux-policy.spec | 6 +++-
2 files changed, 90 insertions(+), 6 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 979192d..969029f 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -13175,9 +13175,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
## Allow the caller to set the attributes of removable
## devices device nodes.
## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.7.19/policy/modules/kernel/terminal.fc
+--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2010-04-13 18:44:37.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/terminal.fc 2011-03-09 15:21:05.843980000 +0000
+@@ -6,6 +6,7 @@
+ /dev/console -c gen_context(system_u:object_r:console_device_t,s0)
+ /dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/hpilo/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+@@ -18,6 +19,7 @@
+ /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
+ /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+ /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.19/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-09-16 13:33:56.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2011-03-09 15:11:53.340980002 +0000
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -13284,6 +13303,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
')
########################################
+@@ -1449,3 +1472,22 @@
+ refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+ term_dontaudit_use_all_ttys($1)
+ ')
++
++###################################
++## <summary>
++## Read from and write to the virtio console.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_use_virtio_console',`
++ gen_require(`
++ type virtio_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.7.19/policy/modules/kernel/terminal.te
+--- nsaserefpolicy/policy/modules/kernel/terminal.te 2010-04-13 18:44:37.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/terminal.te 2011-03-09 15:10:03.595980002 +0000
+@@ -57,3 +57,9 @@
+ #
+ type usbtty_device_t, serial_device;
+ dev_node(usbtty_device_t)
++
++#
++# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
++#
++type virtio_device_t, serial_device;
++dev_node(virtio_device_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.19/policy/modules/roles/auditadm.te
--- nsaserefpolicy/policy/modules/roles/auditadm.te 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/roles/auditadm.te 2011-02-07 16:38:06.752796002 +0000
@@ -39533,12 +39588,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
allow varnishd_t self:tcp_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.fc serefpolicy-3.7.19/policy/modules/services/vdagent.fc
--- nsaserefpolicy/policy/modules/services/vdagent.fc 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/vdagent.fc 2011-03-08 12:55:29.677413000 +0000
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.7.19/policy/modules/services/vdagent.fc 2011-03-09 15:09:09.873980002 +0000
+@@ -0,0 +1,10 @@
+
+/sbin/vdagent -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+
++/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
++
+/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
++/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
++
++/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
++/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.if serefpolicy-3.7.19/policy/modules/services/vdagent.if
--- nsaserefpolicy/policy/modules/services/vdagent.if 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/vdagent.if 2011-03-08 12:55:29.684413000 +0000
@@ -39584,8 +39645,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.te serefpolicy-3.7.19/policy/modules/services/vdagent.te
--- nsaserefpolicy/policy/modules/services/vdagent.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/vdagent.te 2011-03-08 13:05:40.170413001 +0000
-@@ -0,0 +1,38 @@
++++ serefpolicy-3.7.19/policy/modules/services/vdagent.te 2011-03-09 15:08:02.121980002 +0000
+@@ -0,0 +1,57 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -39600,6 +39661,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+type vdagent_var_run_t;
+files_pid_file(vdagent_var_run_t)
+
++type vdagent_log_t;
++logging_log_file(vdagent_log_t)
++
+permissive vdagent_t;
+
+########################################
@@ -39617,13 +39681,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+manage_lnk_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+files_pid_filetrans(vdagent_t, vdagent_var_run_t, { file dir sock_file })
+
++manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
++manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
++logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
++
+domain_use_interactive_fds(vdagent_t)
+
++dev_rw_input_dev(vdagent_t)
++
++term_use_virtio_console(vdagent_t)
++
+files_read_etc_files(vdagent_t)
+
+miscfiles_read_localization(vdagent_t)
+
+userdom_use_user_ptys(vdagent_t)
++
++optional_policy(`
++ consolekit_dbus_chat(vdagent_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(vdagent_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.19/policy/modules/services/vhostmd.fc
--- nsaserefpolicy/policy/modules/services/vhostmd.fc 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/vhostmd.fc 2010-07-21 08:49:49.000000000 +0000
diff --git a/selinux-policy.spec b/selinux-policy.spec
index eac9f6a..0e66624 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 99%{?dist}
+Release: 100%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Wed Mar 9 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-100
+- Add other fixes for spice
+- Add label for dev/hpilo/*
+
* Tue Mar 8 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-99
- Fixes for ssh_keygen policy
- Allow sysadm_t to run ssh-keygen in ssh_keygen_t domain
More information about the scm-commits
mailing list