[selinux-policy/f16] Remove tzdata policy
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Oct 20 16:00:53 UTC 2011
commit a864730b257454ab829ecb61d7829e13da4b0dad
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Oct 20 18:00:38 2011 +0200
Remove tzdata policy
policy-F16.patch | 185 ++++++++++++++++++++++++++++++++++++-----------------
1 files changed, 125 insertions(+), 60 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index d98ece3..01d3a37 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -2956,7 +2956,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..8d3c1d8 100644
+index 47a8f7d..4b78d5b 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -3045,7 +3045,13 @@ index 47a8f7d..8d3c1d8 100644
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -189,7 +211,7 @@ logging_send_syslog_msg(rpm_t)
+@@ -185,11 +207,13 @@ libs_domtrans_ldconfig(rpm_t)
+
+ logging_send_syslog_msg(rpm_t)
+
++miscfiles_filetrans_named_content(rpm_t)
++
+ # allow compiling and loading new policy
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
@@ -3054,7 +3060,7 @@ index 47a8f7d..8d3c1d8 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -207,6 +229,7 @@ optional_policy(`
+@@ -207,6 +231,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -3062,7 +3068,7 @@ index 47a8f7d..8d3c1d8 100644
')
optional_policy(`
-@@ -214,7 +237,7 @@ optional_policy(`
+@@ -214,7 +239,7 @@ optional_policy(`
')
optional_policy(`
@@ -3071,7 +3077,7 @@ index 47a8f7d..8d3c1d8 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -257,12 +280,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -257,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_script_t, rpm_script_tmpfs_t)
@@ -3090,7 +3096,7 @@ index 47a8f7d..8d3c1d8 100644
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
-@@ -299,15 +328,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -299,15 +330,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -3111,13 +3117,15 @@ index 47a8f7d..8d3c1d8 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -332,18 +363,18 @@ logging_send_syslog_msg(rpm_script_t)
+@@ -331,19 +364,20 @@ libs_domtrans_ldconfig(rpm_script_t)
+ logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
-
+-
-modutils_domtrans_depmod(rpm_script_t)
-modutils_domtrans_insmod(rpm_script_t)
--
++miscfiles_filetrans_named_content(rpm_script_t)
+
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -3133,7 +3141,7 @@ index 47a8f7d..8d3c1d8 100644
')
')
-@@ -368,6 +399,11 @@ optional_policy(`
+@@ -368,6 +402,11 @@ optional_policy(`
')
optional_policy(`
@@ -3145,7 +3153,7 @@ index 47a8f7d..8d3c1d8 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,8 +413,9 @@ optional_policy(`
+@@ -377,8 +416,9 @@ optional_policy(`
')
optional_policy(`
@@ -20747,10 +20755,10 @@ index 2be17d2..2c588ca 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..80db5fc 100644
+index e14b961..f3980e0 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,47 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,48 @@ ifndef(`enable_mls',`
#
# Local policy
#
@@ -20783,6 +20791,7 @@ index e14b961..80db5fc 100644
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
++miscfiles_filetrans_named_content(sysadm_t)
+miscfiles_read_hwdata(sysadm_t)
+
+sysnet_filetrans_named_content(sysadm_t)
@@ -20798,7 +20807,7 @@ index e14b961..80db5fc 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +82,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +83,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -20806,7 +20815,7 @@ index e14b961..80db5fc 100644
')
tunable_policy(`allow_ptrace',`
-@@ -67,9 +95,9 @@ optional_policy(`
+@@ -67,9 +96,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -20817,7 +20826,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -98,6 +126,10 @@ optional_policy(`
+@@ -98,6 +127,10 @@ optional_policy(`
')
optional_policy(`
@@ -20828,7 +20837,7 @@ index e14b961..80db5fc 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +142,19 @@ optional_policy(`
+@@ -110,11 +143,19 @@ optional_policy(`
')
optional_policy(`
@@ -20849,7 +20858,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -128,6 +168,10 @@ optional_policy(`
+@@ -128,6 +169,10 @@ optional_policy(`
')
optional_policy(`
@@ -20860,7 +20869,7 @@ index e14b961..80db5fc 100644
dmesg_exec(sysadm_t)
')
-@@ -163,6 +207,13 @@ optional_policy(`
+@@ -163,6 +208,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -20874,7 +20883,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -170,15 +221,20 @@ optional_policy(`
+@@ -170,15 +222,20 @@ optional_policy(`
')
optional_policy(`
@@ -20898,7 +20907,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -198,22 +254,19 @@ optional_policy(`
+@@ -198,22 +255,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -20926,7 +20935,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -225,25 +278,47 @@ optional_policy(`
+@@ -225,25 +279,47 @@ optional_policy(`
')
optional_policy(`
@@ -20974,7 +20983,7 @@ index e14b961..80db5fc 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,19 +328,19 @@ optional_policy(`
+@@ -253,19 +329,19 @@ optional_policy(`
')
optional_policy(`
@@ -20998,7 +21007,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -274,10 +349,7 @@ optional_policy(`
+@@ -274,10 +350,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -21010,7 +21019,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -302,12 +374,18 @@ optional_policy(`
+@@ -302,12 +375,18 @@ optional_policy(`
')
optional_policy(`
@@ -21030,7 +21039,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -332,7 +410,10 @@ optional_policy(`
+@@ -332,7 +411,10 @@ optional_policy(`
')
optional_policy(`
@@ -21042,7 +21051,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -343,19 +424,15 @@ optional_policy(`
+@@ -343,19 +425,15 @@ optional_policy(`
')
optional_policy(`
@@ -21064,7 +21073,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -367,45 +444,45 @@ optional_policy(`
+@@ -367,45 +445,45 @@ optional_policy(`
')
optional_policy(`
@@ -21121,7 +21130,7 @@ index e14b961..80db5fc 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +495,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +496,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21132,7 +21141,7 @@ index e14b961..80db5fc 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +512,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +513,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -21140,7 +21149,7 @@ index e14b961..80db5fc 100644
')
optional_policy(`
-@@ -446,11 +520,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +521,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21919,10 +21928,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..49f2c54
+index 0000000..8d7dde1
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,504 @@
+@@ -0,0 +1,502 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -22012,6 +22021,8 @@ index 0000000..49f2c54
+
+authlogin_filetrans_named_content(unconfined_t)
+
++miscfiles_filetrans_named_content(unconfined_t)
++
+sysnet_filetrans_named_content(unconfined_t)
+
+optional_policy(`
@@ -22128,10 +22139,6 @@ index 0000000..49f2c54
+ ')
+
+ optional_policy(`
-+ tzdata_run(unconfined_usertype, unconfined_r)
-+ ')
-+
-+ optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
@@ -24654,7 +24661,7 @@ index 6480167..e12bbc0 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..f165efd 100644
+index 3136c6a..248682c 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,203 @@ policy_module(apache, 2.2.1)
@@ -25663,7 +25670,7 @@ index 3136c6a..f165efd 100644
')
########################################
-@@ -891,11 +1263,48 @@ optional_policy(`
+@@ -891,11 +1263,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -25710,7 +25717,8 @@ index 3136c6a..f165efd 100644
+
+dev_read_urand(httpd_passwd_t)
+
-+systemd_passwd_agent_dev_template(httpd)
++systemd_manage_passwd_run(httpd_t)
++#systemd_passwd_agent_dev_template(httpd)
+
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
@@ -69602,7 +69610,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..e55e967 100644
+index a0a0ebf..5e4149d 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -69775,7 +69783,7 @@ index a0a0ebf..e55e967 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,14 +364,26 @@ optional_policy(`
+@@ -331,14 +364,27 @@ optional_policy(`
')
optional_policy(`
@@ -69795,7 +69803,8 @@ index a0a0ebf..e55e967 100644
')
optional_policy(`
-+ systemd_passwd_agent_dev_template(lvm)
++ #systemd_passwd_agent_dev_template(lvm)
++ systemd_manage_passwd_run(lvm_t)
+')
+
+optional_policy(`
@@ -69825,7 +69834,7 @@ index 172287e..ec1f0e8 100644
/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..13762b6 100644
+index 926ba65..38de7a8 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',`
@@ -69855,31 +69864,56 @@ index 926ba65..13762b6 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -745,7 +765,24 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -745,7 +765,6 @@ interface(`miscfiles_etc_filetrans_localization',`
')
files_etc_filetrans($1, locale_t, file)
-+')
-+
+-
+ ')
+
+ ########################################
+@@ -769,3 +788,41 @@ interface(`miscfiles_manage_localization',`
+ manage_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
+########################################
+## <summary>
-+## Execute test files.
++## Transition to miscfiles named content
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_filetrans_named_content',`
+ gen_require(`
++ type locale_t;
+ type man_t;
++ type cert_t;
++ type fonts_t;
++ type fonts_cache_t;
++ type hwdata_t;
++ type tetex_data_t;
++ type public_content_t;
+ ')
-
++
++ files_etc_filetrans($1, locale_t, file, "localtime")
+ files_var_filetrans($1, man_t, dir, "man")
- ')
-
- ########################################
++ files_etc_filetrans($1, locale_t, file, "timezone")
++ files_etc_filetrans($1, locale_t, file, "clock")
++ files_etc_filetrans($1, cert_t, dir, "pki")
++ files_usr_filetrans($1, locale_t, dir, "locale")
++ files_usr_filetrans($1, locale_t, dir, "zoneinfo")
++ files_usr_filetrans($1, cert_t, dir, "certs")
++ files_usr_filetrans($1, fonts_t, dir, "fonts")
++ files_usr_filetrans($1, hwdata_t, dir, "hwdata")
++ files_var_filetrans($1, fonts_cache_t, dir, "fontconfig")
++ files_var_filetrans($1, tetex_data_t, dir, "fonts")
++ files_spool_filetrans($1, tetex_data_t, dir, "texmf")
++ files_var_lib_filetrans($1, tetex_data_t, dir, "texmf")
++ files_var_filetrans($1, public_content_t, dir, "ftp")
++')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 703944c..1d3a6a9 100644
--- a/policy/modules/system/miscfiles.te
@@ -72568,10 +72602,10 @@ index 0000000..db57bc7
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..0b37d39
+index 0000000..79c358c
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,479 @@
+@@ -0,0 +1,502 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -72924,6 +72958,29 @@ index 0000000..0b37d39
+ allow $1 systemd_passwd_agent_t:process signal;
+')
+
++#######################################
++## <summary>
++## Send generic signals to systemd_passwd_agent processes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_manage_passwd_run',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ type systemd_passwd_var_run_t;
++ ')
++
++ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++
++ allow systemd_passwd_agent_t $1:process signull;
++ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
++')
++
+######################################
+## <summary>
+## Template for temporary sockets and files in /dev/.systemd/ask-password
@@ -73053,10 +73110,10 @@ index 0000000..0b37d39
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a906f40
+index 0000000..1449552
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,369 @@
+@@ -0,0 +1,370 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -73209,8 +73266,9 @@ index 0000000..a906f40
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file })
++init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
+kernel_stream_connect(systemd_passwd_agent_t)
+
@@ -73427,7 +73485,7 @@ index 0000000..a906f40
+
+miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..7e94f4b 100644
+index 0291685..397e4f6 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,6 @@
@@ -73440,7 +73498,14 @@ index 0291685..7e94f4b 100644
/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-@@ -21,4 +21,6 @@
+@@ -15,10 +15,13 @@
+ /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
More information about the scm-commits
mailing list