[selinux-policy/f14/master] - More access needed for devicekit - Add dbadm policy
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Aug 30 15:37:14 UTC 2010
commit 872b0fc2235e059f40d65ab4509411d2959b9f12
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Aug 30 11:37:13 2010 -0400
- More access needed for devicekit
- Add dbadm policy
policy-F14.patch | 59 +++++++++++++++++++++++++++++++++--------------------
1 files changed, 37 insertions(+), 22 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 964813c..9247ef9 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -17282,7 +17282,7 @@ index 03742d8..7b9c543 100644
')
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
-index 7cf6763..52ea89b 100644
+index 7cf6763..5b9771e 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -377,6 +377,25 @@ interface(`hal_read_pid_files',`
@@ -17334,8 +17334,8 @@ index 7cf6763..52ea89b 100644
+ ')
+
+ dontaudit $1 hald_t:fd use;
-+ dontaudit $1 hald_log_t:file rw_inherited_files_perms;
-+ dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 hald_log_t:file rw_inherited_file_perms;
++ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit hald_t $1:socket_class_set { read write };
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
@@ -31929,10 +31929,21 @@ index 2cc4bda..9e81136 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..b0ee958 100644
+index 170e2c7..bbaa8cf 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
-@@ -361,6 +361,27 @@ interface(`seutil_exec_restorecon',`
+@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, load_policy_exec_t, load_policy_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit load_policy_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
+@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',`
########################################
## <summary>
@@ -31960,18 +31971,18 @@ index 170e2c7..b0ee958 100644
## Execute run_init in the run_init domain.
## </summary>
## <param name="domain">
-@@ -514,6 +535,10 @@ interface(`seutil_domtrans_setfiles',`
+@@ -514,6 +539,10 @@ interface(`seutil_domtrans_setfiles',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+
+ ifdef(`hide_broken_symptoms', `
-+ dontaudit consoletype_t $1:socket_class_set { read write };
++ dontaudit setfiles_t $1:socket_class_set { read write };
+ ')
')
########################################
-@@ -545,6 +570,53 @@ interface(`seutil_run_setfiles',`
+@@ -545,6 +574,53 @@ interface(`seutil_run_setfiles',`
########################################
## <summary>
@@ -32025,7 +32036,7 @@ index 170e2c7..b0ee958 100644
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -690,6 +762,7 @@ interface(`seutil_manage_config',`
+@@ -690,6 +766,7 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -32033,10 +32044,18 @@ index 170e2c7..b0ee958 100644
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -1009,6 +1082,26 @@ interface(`seutil_domtrans_semanage',`
-
- ########################################
- ## <summary>
+@@ -1005,6 +1082,30 @@ interface(`seutil_domtrans_semanage',`
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, semanage_exec_t, semanage_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit semanage_t $1:socket_class_set { read write };
++ ')
++')
++
++########################################
++## <summary>
+## Execute a domain transition to run setsebool.
+## </summary>
+## <param name="domain">
@@ -32053,14 +32072,10 @@ index 170e2c7..b0ee958 100644
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute semanage in the semanage domain, and
- ## allow the specified role the semanage domain,
- ## and use the caller's terminal.
-@@ -1038,6 +1131,54 @@ interface(`seutil_run_semanage',`
+ ')
+
+ ########################################
+@@ -1038,6 +1139,54 @@ interface(`seutil_run_semanage',`
########################################
## <summary>
@@ -32115,7 +32130,7 @@ index 170e2c7..b0ee958 100644
## Full management of the semanage
## module store.
## </summary>
-@@ -1149,3 +1290,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1298,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
More information about the scm-commits
mailing list