[selinux-policy: 1452/3172] fixes for gentoo
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:10:53 UTC 2010
commit 46fc46cfdd12a5fd8b3ab6646905f286f1a1a830
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri May 19 13:14:37 2006 +0000
fixes for gentoo
refpolicy/policy/modules/kernel/files.fc | 3 ---
refpolicy/policy/modules/services/cpucontrol.fc | 3 +++
refpolicy/policy/modules/services/cpucontrol.te | 18 +++++++++++++-----
refpolicy/policy/modules/services/privoxy.te | 7 +++----
refpolicy/policy/modules/services/xserver.fc | 2 +-
refpolicy/policy/modules/services/xserver.te | 23 +++++++++++++----------
refpolicy/policy/modules/system/libraries.fc | 14 ++++++++++++++
refpolicy/policy/modules/system/miscfiles.fc | 7 +++++++
8 files changed, 54 insertions(+), 23 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc
index 3a99727..b3a21ea 100644
--- a/refpolicy/policy/modules/kernel/files.fc
+++ b/refpolicy/policy/modules/kernel/files.fc
@@ -35,11 +35,8 @@ ifdef(`distro_suse',`
#
# /emul
#
-
-ifdef(`distro_redhat',`
/emul -d gen_context(system_u:object_r:usr_t,s0)
/emul/.* gen_context(system_u:object_r:usr_t,s0)
-')
#
# /etc
diff --git a/refpolicy/policy/modules/services/cpucontrol.fc b/refpolicy/policy/modules/services/cpucontrol.fc
index c3f9d3a..6905f77 100644
--- a/refpolicy/policy/modules/services/cpucontrol.fc
+++ b/refpolicy/policy/modules/services/cpucontrol.fc
@@ -3,5 +3,8 @@
/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+
+/var/run/cpufreqd.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
index d2891df..256df78 100644
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -1,5 +1,5 @@
-policy_module(cpucontrol,1.0.0)
+policy_module(cpucontrol,1.0.1)
########################################
#
@@ -17,6 +17,9 @@ type cpuspeed_t;
type cpuspeed_exec_t;
init_system_domain(cpuspeed_t,cpuspeed_exec_t)
+type cpuspeed_var_run_t;
+files_pid_file(cpuspeed_var_run_t)
+
########################################
#
# CPU microcode loader local policy
@@ -82,21 +85,26 @@ dontaudit cpuspeed_t self:capability sys_tty_config;
allow cpuspeed_t self:process { signal_perms setsched };
allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
+allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms;
+files_pid_filetrans(cpuspeed_t,cpuspeed_var_run_t,file)
+
kernel_read_system_state(cpuspeed_t)
kernel_read_kernel_sysctls(cpuspeed_t)
dev_rw_sysfs(cpuspeed_t)
-fs_search_auto_mountpoints(cpuspeed_t)
-
-term_dontaudit_use_console(cpuspeed_t)
-
domain_use_interactive_fds(cpuspeed_t)
+# for demand/load-based scaling:
+domain_read_all_domains_state(cpuspeed_t)
files_read_etc_files(cpuspeed_t)
files_read_etc_runtime_files(cpuspeed_t)
files_list_usr(cpuspeed_t)
+fs_search_auto_mountpoints(cpuspeed_t)
+
+term_dontaudit_use_console(cpuspeed_t)
+
init_use_fds(cpuspeed_t)
init_use_script_ptys(cpuspeed_t)
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index efff376..d42237f 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
-policy_module(privoxy,1.1.1)
+policy_module(privoxy,1.1.2)
########################################
#
@@ -42,12 +42,11 @@ kernel_read_kernel_sysctls(privoxy_t)
kernel_list_proc(privoxy_t)
kernel_read_proc_symlinks(privoxy_t)
+corenet_non_ipsec_sendrecv(privoxy_t)
corenet_tcp_sendrecv_all_if(privoxy_t)
-corenet_raw_sendrecv_all_if(privoxy_t)
corenet_tcp_sendrecv_all_nodes(privoxy_t)
-corenet_raw_sendrecv_all_nodes(privoxy_t)
corenet_tcp_sendrecv_all_ports(privoxy_t)
-corenet_non_ipsec_sendrecv(privoxy_t)
+corenet_tcp_bind_all_nodes(privoxy_t)
corenet_tcp_bind_http_cache_port(privoxy_t)
corenet_tcp_connect_http_port(privoxy_t)
corenet_tcp_connect_http_cache_port(privoxy_t)
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index eb6e748..e5e55a6 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -97,7 +97,7 @@ ifdef(`distro_debian', `
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
ifdef(`distro_suse',`
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index e373e84..d4c0d7f 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -230,16 +230,16 @@ ifdef(`strict_policy',`
allow xdm_t xdm_lock_t:file create_file_perms;
files_lock_filetrans(xdm_t,xdm_lock_t,file)
- allow xdm_t xdm_tmp_t:dir create_dir_perms;
- allow xdm_t xdm_tmp_t:file create_file_perms;
- allow xdm_t xdm_tmp_t:file create_file_perms;
+ allow xdm_t xdm_tmp_t:dir manage_dir_perms;
+ allow xdm_t xdm_tmp_t:file manage_file_perms;
+ allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
- allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
+ allow xdm_t xdm_tmpfs_t:file manage_file_perms;
+ allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
+ allow xdm_t xdm_tmpfs_t:sock_file manage_file_perms;
+ allow xdm_t xdm_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow xdm_t xdm_var_lib_t:file create_file_perms;
@@ -247,8 +247,9 @@ ifdef(`strict_policy',`
files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
allow xdm_t xdm_var_run_t:dir manage_dir_perms;
+ allow xdm_t xdm_var_run_t:file manage_file_perms;
allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
- files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir fifo_file })
+ files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -311,6 +312,8 @@ ifdef(`targeted_policy',`
allow xdm_t self:process { execheap execmem };
unconfined_domain(xdm_t)
unconfined_domtrans(xdm_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
+
')
tunable_policy(`use_nfs_home_dirs',`
@@ -383,7 +386,7 @@ optional_policy(`
# XDM Xserver local policy
#
-allow xdm_xserver_t xdm_t:process signal;
+allow xdm_xserver_t xdm_t:process { signal getpgid };
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 6b9c982..ab0c532 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -1,6 +1,14 @@
#
# /emul
#
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/linux/x86/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
ifdef(`distro_redhat',`
/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -29,6 +37,12 @@ ifdef(`distro_redhat',`
/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+ifdef(`distro_gentoo',`
+/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/lib32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
#
# /opt
#
diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc
index 0baad1f..7f4bdcd 100644
--- a/refpolicy/policy/modules/system/miscfiles.fc
+++ b/refpolicy/policy/modules/system/miscfiles.fc
@@ -1,4 +1,11 @@
#
+# /emul
+#
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr/(X11R6/)?lib/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+')
+
+#
# /etc
#
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
More information about the scm-commits
mailing list