[selinux-policy/f16] Add additional fixes to make build working
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 16 11:28:51 UTC 2012
commit 00145e12fc0945988e04cce29e529cb91b067dfb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 16 13:28:29 2012 +0200
Add additional fixes to make build working
policy-F16.patch | 140 +++++++++++++++++++++++++++++++++++++++++++++++------
1 files changed, 124 insertions(+), 16 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 07b5233..dcffc5e 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1934,14 +1934,60 @@ index e0791b9..d84d16a 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
-index f68b573..59ee69c 100644
+index f68b573..8fb9cd3 100644
--- a/policy/modules/admin/passenger.if
+++ b/policy/modules/admin/passenger.if
-@@ -37,3 +37,25 @@ interface(`passenger_read_lib_files',`
+@@ -18,6 +18,24 @@ interface(`passenger_domtrans',`
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
+ ')
+
++######################################
++## <summary>
++## Execute passenger in the current domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`passenger_exec',`
++ gen_require(`
++ type passenger_exec_t;
++ ')
++
++ can_exec($1, passenger_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read passenger lib files
+@@ -37,3 +55,84 @@ interface(`passenger_read_lib_files',`
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
')
+
++########################################
++## <summary>
++## Manage passenger lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`passenger_manage_lib_files',`
++ gen_require(`
++ type passenger_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ files_search_var_lib($1)
++')
++
+#####################################
+## <summary>
+## Manage passenger var_run content.
@@ -1963,6 +2009,44 @@ index f68b573..59ee69c 100644
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
++
++########################################
++## <summary>
++## Connect to passenger unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`passenger_stream_connect',`
++ gen_require(`
++ type passenger_t;
++ ')
++
++ allow $1 passenger_t:unix_stream_socket connectto;
++')
++
++#######################################
++## <summary>
++## Allow to manage passenger tmp files/dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`passenger_manage_tmp_files',`
++ gen_require(`
++ type passenger_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
++ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
++')
diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te
index 3470036..41f736e 100644
--- a/policy/modules/admin/passenger.te
@@ -19098,7 +19182,7 @@ index 22821ff..247583e 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..2918153 100644
+index 97fcdac..3440698 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19735,7 +19819,33 @@ index 97fcdac..2918153 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4851,8 @@ interface(`fs_mount_all_fs',`
+@@ -4268,6 +4662,25 @@ interface(`fs_manage_tmpfs_symlinks',`
+ manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
++#######################################
++## <summary>
++## Read and write, create and delete symbolic
++## links on tmpfs filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_rw_inherited_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:file { read write };
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write, create and delete socket
+@@ -4457,6 +4870,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -19744,7 +19854,7 @@ index 97fcdac..2918153 100644
')
########################################
-@@ -4503,7 +4899,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4918,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -19753,7 +19863,7 @@ index 97fcdac..2918153 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5262,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5281,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -23500,7 +23610,7 @@ index 0000000..5832252
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..4ca5160
+index 0000000..eee721b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,450 @@
@@ -23842,11 +23952,11 @@ index 0000000..4ca5160
+')
+
+optional_policy(`
-+<<<<<<< HEAD
+ ncftool_run(unconfined_t, unconfined_r)
-+=======
++')
++
++optional_policy(`
+ openshift_run(unconfined_usertype, unconfined_r)
-+>>>>>>> 65dea3b... Changes needed by openshift policy
+')
+
+optional_policy(`
@@ -34178,7 +34288,7 @@ index 305ddf4..173cd16 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..b3839be 100644
+index 0f28095..0dd5c5d 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -34421,7 +34531,7 @@ index 0f28095..b3839be 100644
+manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
+manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
+manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+logging_log_filetrans(hplip_t,hplip_var_log_t,{ dirs fifo_file file })
++logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file })
+
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
@@ -50463,10 +50573,10 @@ index 0000000..681f8a0
+')
diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
new file mode 100644
-index 0000000..8f642e4
+index 0000000..0f91146
--- /dev/null
+++ b/policy/modules/services/openshift.te
-@@ -0,0 +1,351 @@
+@@ -0,0 +1,349 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -50662,12 +50772,10 @@ index 0000000..8f642e4
+files_dontaudit_getattr_all_dirs(openshift_domain)
+files_dontaudit_getattr_all_files(openshift_domain)
+files_dontaudit_list_mnt(openshift_domain)
-+files_dontaudit_list_var(openshift_domain)
+files_dontaudit_getattr_lost_found_dirs(openshift_domain)
+files_dontaudit_search_all_mountpoints(openshift_domain)
+files_dontaudit_search_spool(openshift_domain)
+files_dontaudit_search_all_dirs(openshift_domain)
-+files_dontaudit_list_var(openshift_domain)
+files_read_etc_files(openshift_domain)
+files_exec_etc_files(openshift_domain)
+files_read_usr_files(openshift_domain)
More information about the scm-commits
mailing list