[selinux-policy/f16] Add additional fixes to make build working

Miroslav Grepl mgrepl at fedoraproject.org
Tue Oct 16 11:28:51 UTC 2012 

commit 00145e12fc0945988e04cce29e529cb91b067dfb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Oct 16 13:28:29 2012 +0200

    Add additional fixes to make build working

 policy-F16.patch |  140 +++++++++++++++++++++++++++++++++++++++++++++++------
 1 files changed, 124 insertions(+), 16 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 07b5233..dcffc5e 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1934,14 +1934,60 @@ index e0791b9..d84d16a 100644
 +	term_dontaudit_use_all_ptys(traceroute_t)
 +')
 diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
-index f68b573..59ee69c 100644
+index f68b573..8fb9cd3 100644
 --- a/policy/modules/admin/passenger.if
 +++ b/policy/modules/admin/passenger.if
-@@ -37,3 +37,25 @@ interface(`passenger_read_lib_files',`
+@@ -18,6 +18,24 @@ interface(`passenger_domtrans',`
+ 	domtrans_pattern($1, passenger_exec_t, passenger_t)
+ ')
+ 
++######################################
++## <summary>
++##	Execute passenger in the current domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`passenger_exec',`
++	gen_require(`
++		type passenger_exec_t;
++	')
++
++	can_exec($1, passenger_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Read passenger lib files
+@@ -37,3 +55,84 @@ interface(`passenger_read_lib_files',`
  	read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
  	files_search_var_lib($1)
  ')
 +
++########################################
++## <summary>
++##	Manage passenger lib files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`passenger_manage_lib_files',`
++	gen_require(`
++		type passenger_var_lib_t;
++	')
++
++	manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++	manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++	manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++	files_search_var_lib($1)
++')
++
 +#####################################
 +## <summary>
 +##  Manage passenger var_run content.
@@ -1963,6 +2009,44 @@ index f68b573..59ee69c 100644
 +    manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
 +    manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
 +')
++
++########################################
++## <summary>
++##	Connect to passenger unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`passenger_stream_connect',`
++	gen_require(`
++		type passenger_t;
++	')
++
++	allow $1 passenger_t:unix_stream_socket connectto;
++')
++
++#######################################
++## <summary>
++##  Allow to manage passenger tmp files/dirs.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`passenger_manage_tmp_files',`
++    gen_require(`
++        type passenger_tmp_t;
++    ')
++
++    files_search_tmp($1)
++	manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
++	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
++')
 diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te
 index 3470036..41f736e 100644
 --- a/policy/modules/admin/passenger.te
@@ -19098,7 +19182,7 @@ index 22821ff..247583e 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..2918153 100644
+index 97fcdac..3440698 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19735,7 +19819,33 @@ index 97fcdac..2918153 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4457,6 +4851,8 @@ interface(`fs_mount_all_fs',`
+@@ -4268,6 +4662,25 @@ interface(`fs_manage_tmpfs_symlinks',`
+ 	manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Read and write, create and delete symbolic
++##  links on tmpfs filesystems.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`fs_rw_inherited_tmpfs_files',`
++        gen_require(`
++                type tmpfs_t;
++        ')
++
++        allow $1 tmpfs_t:file { read write };
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write, create and delete socket
+@@ -4457,6 +4870,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -19744,7 +19854,7 @@ index 97fcdac..2918153 100644
  ')
  
  ########################################
-@@ -4503,7 +4899,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4918,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -19753,7 +19863,7 @@ index 97fcdac..2918153 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4866,3 +5262,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5281,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -23500,7 +23610,7 @@ index 0000000..5832252
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..4ca5160
+index 0000000..eee721b
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
 @@ -0,0 +1,450 @@
@@ -23842,11 +23952,11 @@ index 0000000..4ca5160
 +')
 +
 +optional_policy(`
-+<<<<<<< HEAD
 +	ncftool_run(unconfined_t, unconfined_r)
-+=======
++')
++
++optional_policy(`
 +	openshift_run(unconfined_usertype, unconfined_r)
-+>>>>>>> 65dea3b... Changes needed by openshift policy
 +')
 +
 +optional_policy(`
@@ -34178,7 +34288,7 @@ index 305ddf4..173cd16 100644
  
  	admin_pattern($1, ptal_etc_t)
 diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..b3839be 100644
+index 0f28095..0dd5c5d 100644
 --- a/policy/modules/services/cups.te
 +++ b/policy/modules/services/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -34421,7 +34531,7 @@ index 0f28095..b3839be 100644
 +manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
 +manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
 +manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+logging_log_filetrans(hplip_t,hplip_var_log_t,{ dirs fifo_file file })
++logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file })
 +
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
 -files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
@@ -50463,10 +50573,10 @@ index 0000000..681f8a0
 +')
 diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
 new file mode 100644
-index 0000000..8f642e4
+index 0000000..0f91146
 --- /dev/null
 +++ b/policy/modules/services/openshift.te
-@@ -0,0 +1,351 @@
+@@ -0,0 +1,349 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
@@ -50662,12 +50772,10 @@ index 0000000..8f642e4
 +files_dontaudit_getattr_all_dirs(openshift_domain)
 +files_dontaudit_getattr_all_files(openshift_domain)
 +files_dontaudit_list_mnt(openshift_domain)
-+files_dontaudit_list_var(openshift_domain)
 +files_dontaudit_getattr_lost_found_dirs(openshift_domain)
 +files_dontaudit_search_all_mountpoints(openshift_domain)
 +files_dontaudit_search_spool(openshift_domain)
 +files_dontaudit_search_all_dirs(openshift_domain)
-+files_dontaudit_list_var(openshift_domain)
 +files_read_etc_files(openshift_domain)
 +files_exec_etc_files(openshift_domain)
 +files_read_usr_files(openshift_domain)

More information about the scm-commits mailing list