[selinux-policy/f14/master] - More access needed for devicekit - Add dbadm policy

Daniel J Walsh dwalsh at fedoraproject.org
Mon Aug 30 15:37:14 UTC 2010 

commit 872b0fc2235e059f40d65ab4509411d2959b9f12
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Aug 30 11:37:13 2010 -0400

    - More access needed for devicekit
    - Add dbadm policy

 policy-F14.patch |   59 +++++++++++++++++++++++++++++++++--------------------
 1 files changed, 37 insertions(+), 22 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 964813c..9247ef9 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -17282,7 +17282,7 @@ index 03742d8..7b9c543 100644
  ')
  
 diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
-index 7cf6763..52ea89b 100644
+index 7cf6763..5b9771e 100644
 --- a/policy/modules/services/hal.if
 +++ b/policy/modules/services/hal.if
 @@ -377,6 +377,25 @@ interface(`hal_read_pid_files',`
@@ -17334,8 +17334,8 @@ index 7cf6763..52ea89b 100644
 +	')
 +
 +	dontaudit $1 hald_t:fd use; 
-+	dontaudit $1 hald_log_t:file rw_inherited_files_perms;
-+	dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; 
++	dontaudit $1 hald_log_t:file rw_inherited_file_perms;
++	dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; 
 +	dontaudit hald_t $1:socket_class_set { read write };
 +	dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
 +')
@@ -31929,10 +31929,21 @@ index 2cc4bda..9e81136 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..b0ee958 100644
+index 170e2c7..bbaa8cf 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
-@@ -361,6 +361,27 @@ interface(`seutil_exec_restorecon',`
+@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, load_policy_exec_t, load_policy_t)
++
++	ifdef(`hide_broken_symptoms', `
++		dontaudit load_policy_t $1:socket_class_set { read write };
++	')
+ ')
+ 
+ ########################################
+@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',`
  
  ########################################
  ## <summary>
@@ -31960,18 +31971,18 @@ index 170e2c7..b0ee958 100644
  ##	Execute run_init in the run_init domain.
  ## </summary>
  ## <param name="domain">
-@@ -514,6 +535,10 @@ interface(`seutil_domtrans_setfiles',`
+@@ -514,6 +539,10 @@ interface(`seutil_domtrans_setfiles',`
  	files_search_usr($1)
  	corecmd_search_bin($1)
  	domtrans_pattern($1, setfiles_exec_t, setfiles_t)
 +
 +	ifdef(`hide_broken_symptoms', `
-+		dontaudit consoletype_t $1:socket_class_set { read write };
++		dontaudit setfiles_t $1:socket_class_set { read write };
 +	')
  ')
  
  ########################################
-@@ -545,6 +570,53 @@ interface(`seutil_run_setfiles',`
+@@ -545,6 +574,53 @@ interface(`seutil_run_setfiles',`
  
  ########################################
  ## <summary>
@@ -32025,7 +32036,7 @@ index 170e2c7..b0ee958 100644
  ##	Execute setfiles in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -690,6 +762,7 @@ interface(`seutil_manage_config',`
+@@ -690,6 +766,7 @@ interface(`seutil_manage_config',`
  	')
  
  	files_search_etc($1)
@@ -32033,10 +32044,18 @@ index 170e2c7..b0ee958 100644
  	manage_files_pattern($1, selinux_config_t, selinux_config_t)
  	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
  ')
-@@ -1009,6 +1082,26 @@ interface(`seutil_domtrans_semanage',`
- 
- ########################################
- ## <summary>
+@@ -1005,6 +1082,30 @@ interface(`seutil_domtrans_semanage',`
+ 	files_search_usr($1)
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, semanage_exec_t, semanage_t)
++
++	ifdef(`hide_broken_symptoms', `
++		dontaudit semanage_t $1:socket_class_set { read write };
++	')
++')
++
++########################################
++## <summary>
 +##	Execute a domain transition to run setsebool.
 +## </summary>
 +## <param name="domain">
@@ -32053,14 +32072,10 @@ index 170e2c7..b0ee958 100644
 +	files_search_usr($1)
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, setsebool_exec_t, setsebool_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute semanage in the semanage domain, and
- ##	allow the specified role the semanage domain,
- ##	and use the caller's terminal.
-@@ -1038,6 +1131,54 @@ interface(`seutil_run_semanage',`
+ ')
+ 
+ ########################################
+@@ -1038,6 +1139,54 @@ interface(`seutil_run_semanage',`
  
  ########################################
  ## <summary>
@@ -32115,7 +32130,7 @@ index 170e2c7..b0ee958 100644
  ##	Full management of the semanage
  ##	module store.
  ## </summary>
-@@ -1149,3 +1290,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1298,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')

More information about the scm-commits mailing list