[selinux-policy: 1452/3172] fixes for gentoo

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:10:53 UTC 2010 

commit 46fc46cfdd12a5fd8b3ab6646905f286f1a1a830
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri May 19 13:14:37 2006 +0000

    fixes for gentoo

 refpolicy/policy/modules/kernel/files.fc        |    3 ---
 refpolicy/policy/modules/services/cpucontrol.fc |    3 +++
 refpolicy/policy/modules/services/cpucontrol.te |   18 +++++++++++++-----
 refpolicy/policy/modules/services/privoxy.te    |    7 +++----
 refpolicy/policy/modules/services/xserver.fc    |    2 +-
 refpolicy/policy/modules/services/xserver.te    |   23 +++++++++++++----------
 refpolicy/policy/modules/system/libraries.fc    |   14 ++++++++++++++
 refpolicy/policy/modules/system/miscfiles.fc    |    7 +++++++
 8 files changed, 54 insertions(+), 23 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc
index 3a99727..b3a21ea 100644
--- a/refpolicy/policy/modules/kernel/files.fc
+++ b/refpolicy/policy/modules/kernel/files.fc
@@ -35,11 +35,8 @@ ifdef(`distro_suse',`
 #
 # /emul
 #
-
-ifdef(`distro_redhat',`
 /emul			-d	gen_context(system_u:object_r:usr_t,s0)
 /emul/.*			gen_context(system_u:object_r:usr_t,s0)
-')
 
 #
 # /etc
diff --git a/refpolicy/policy/modules/services/cpucontrol.fc b/refpolicy/policy/modules/services/cpucontrol.fc
index c3f9d3a..6905f77 100644
--- a/refpolicy/policy/modules/services/cpucontrol.fc
+++ b/refpolicy/policy/modules/services/cpucontrol.fc
@@ -3,5 +3,8 @@
 
 /sbin/microcode_ctl	--	gen_context(system_u:object_r:cpucontrol_exec_t,s0)
 
+/usr/sbin/cpufreqd	--	gen_context(system_u:object_r:cpuspeed_exec_t,s0)
 /usr/sbin/cpuspeed	--	gen_context(system_u:object_r:cpuspeed_exec_t,s0)
 /usr/sbin/powernowd	--	gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+
+/var/run/cpufreqd.pid	--	gen_context(system_u:object_r:cpuspeed_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
index d2891df..256df78 100644
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -1,5 +1,5 @@
 
-policy_module(cpucontrol,1.0.0)
+policy_module(cpucontrol,1.0.1)
 
 ########################################
 #
@@ -17,6 +17,9 @@ type cpuspeed_t;
 type cpuspeed_exec_t;
 init_system_domain(cpuspeed_t,cpuspeed_exec_t)
 
+type cpuspeed_var_run_t;
+files_pid_file(cpuspeed_var_run_t)
+
 ########################################
 #
 # CPU microcode loader local policy
@@ -82,21 +85,26 @@ dontaudit cpuspeed_t self:capability sys_tty_config;
 allow cpuspeed_t self:process { signal_perms setsched };
 allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
 
+allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms;
+files_pid_filetrans(cpuspeed_t,cpuspeed_var_run_t,file)
+
 kernel_read_system_state(cpuspeed_t)
 kernel_read_kernel_sysctls(cpuspeed_t)
 
 dev_rw_sysfs(cpuspeed_t)
 
-fs_search_auto_mountpoints(cpuspeed_t)
-
-term_dontaudit_use_console(cpuspeed_t)
-
 domain_use_interactive_fds(cpuspeed_t)
+# for demand/load-based scaling:
+domain_read_all_domains_state(cpuspeed_t)
 
 files_read_etc_files(cpuspeed_t)
 files_read_etc_runtime_files(cpuspeed_t)
 files_list_usr(cpuspeed_t)
 
+fs_search_auto_mountpoints(cpuspeed_t)
+
+term_dontaudit_use_console(cpuspeed_t)
+
 init_use_fds(cpuspeed_t)
 init_use_script_ptys(cpuspeed_t)
 
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index efff376..d42237f 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
 
-policy_module(privoxy,1.1.1)
+policy_module(privoxy,1.1.2)
 
 ########################################
 #
@@ -42,12 +42,11 @@ kernel_read_kernel_sysctls(privoxy_t)
 kernel_list_proc(privoxy_t)
 kernel_read_proc_symlinks(privoxy_t)
 
+corenet_non_ipsec_sendrecv(privoxy_t)
 corenet_tcp_sendrecv_all_if(privoxy_t)
-corenet_raw_sendrecv_all_if(privoxy_t)
 corenet_tcp_sendrecv_all_nodes(privoxy_t)
-corenet_raw_sendrecv_all_nodes(privoxy_t)
 corenet_tcp_sendrecv_all_ports(privoxy_t)
-corenet_non_ipsec_sendrecv(privoxy_t)
+corenet_tcp_bind_all_nodes(privoxy_t)
 corenet_tcp_bind_http_cache_port(privoxy_t)
 corenet_tcp_connect_http_port(privoxy_t)
 corenet_tcp_connect_http_cache_port(privoxy_t)
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index eb6e748..e5e55a6 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -97,7 +97,7 @@ ifdef(`distro_debian', `
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 
-/var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 ifdef(`distro_suse',`
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index e373e84..d4c0d7f 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -230,16 +230,16 @@ ifdef(`strict_policy',`
 	allow xdm_t xdm_lock_t:file create_file_perms;
 	files_lock_filetrans(xdm_t,xdm_lock_t,file)
 
-	allow xdm_t xdm_tmp_t:dir create_dir_perms;
-	allow xdm_t xdm_tmp_t:file create_file_perms;
-	allow xdm_t xdm_tmp_t:file create_file_perms;
+	allow xdm_t xdm_tmp_t:dir manage_dir_perms;
+	allow xdm_t xdm_tmp_t:file manage_file_perms;
+	allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
 	files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
 
-	allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-	allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-	allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
+	allow xdm_t xdm_tmpfs_t:file manage_file_perms;
+	allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
+	allow xdm_t xdm_tmpfs_t:sock_file manage_file_perms;
+	allow xdm_t xdm_tmpfs_t:fifo_file manage_file_perms;
 	fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
 	allow xdm_t xdm_var_lib_t:file create_file_perms;
@@ -247,8 +247,9 @@ ifdef(`strict_policy',`
 	files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
 
 	allow xdm_t xdm_var_run_t:dir manage_dir_perms;
+	allow xdm_t xdm_var_run_t:file manage_file_perms;
 	allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
-	files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir fifo_file })
+	files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
 
 	allow xdm_t xdm_xserver_t:process signal;
 	allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -311,6 +312,8 @@ ifdef(`targeted_policy',`
 	allow xdm_t self:process { execheap execmem };
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
+	userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
+
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
@@ -383,7 +386,7 @@ optional_policy(`
 # XDM Xserver local policy
 #
 
-allow xdm_xserver_t xdm_t:process signal;
+allow xdm_xserver_t xdm_t:process { signal getpgid };
 allow xdm_xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 6b9c982..ab0c532 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -1,6 +1,14 @@
 #
 # /emul
 #
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr(/.*)?/lib(/.*)?		gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/usr(/.*)?/lib/.*\.so(\.[^/]*)*	-- gen_context(system_u:object_r:shlib_t,s0)
+/emul/linux/x86/lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/lib/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:shlib_t,s0)
+/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
 ifdef(`distro_redhat',`
 /emul/ia32-linux/usr(/.*)?/lib(/.*)?		gen_context(system_u:object_r:lib_t,s0)
 /emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)*	-- gen_context(system_u:object_r:shlib_t,s0)
@@ -29,6 +37,12 @@ ifdef(`distro_redhat',`
 /lib(64)?/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 /lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
 
+ifdef(`distro_gentoo',`
+/lib32(/.*)?					gen_context(system_u:object_r:lib_t,s0)
+/lib32/.*\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
+/lib32/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
+')
+
 #
 # /opt
 #
diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc
index 0baad1f..7f4bdcd 100644
--- a/refpolicy/policy/modules/system/miscfiles.fc
+++ b/refpolicy/policy/modules/system/miscfiles.fc
@@ -1,4 +1,11 @@
 #
+# /emul
+#
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr/(X11R6/)?lib/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+')
+
+#
 # /etc
 #
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)

More information about the scm-commits mailing list