[selinux-policy: 1675/3172] setroubleshoot has a plugin that checks the file context on disk versus a matchpathcon. So needs ad

Thu Oct 7 21:29:49 UTC 2010

commit 7aca2aa827a45094f2228070df8b8ab237f2cf12
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Mar 6 17:16:08 2007 +0000

    setroubleshoot has a plugin that checks the file context on disk versus a matchpathcon.  So needs additional privs

 Changelog                                 |    1 +
 policy/modules/services/setroubleshoot.te |    7 ++++++-
 2 files changed, 7 insertions(+), 1 deletions(-)
---

diff --git a/Changelog b/Changelog
index 3dce5ff..c04f3bb 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Patch for setroubleshoot for validating file contexts from Dan Walsh.
 - Patch for gssd fixes from Dan Walsh.
 - Patch for lvm fixes from Dan Walsh.
 - Patch for ricci fixes from Dan Walsh.
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 2dee8bd..8689113 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
 
-policy_module(setroubleshoot,1.2.1)
+policy_module(setroubleshoot,1.2.2)
 
 ########################################
 #
@@ -74,8 +74,10 @@ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
 files_read_usr_files(setroubleshootd_t)
 files_read_etc_files(setroubleshootd_t)
 files_getattr_all_dirs(setroubleshootd_t)
+files_getattr_all_files(setroubleshootd_t)
 
 selinux_get_enforce_mode(setroubleshootd_t)
+selinux_validate_context(setroubleshootd_t)
 
 term_dontaudit_use_console(setroubleshootd_t)
 term_dontaudit_use_all_user_ptys(setroubleshootd_t)
@@ -97,9 +99,12 @@ logging_send_syslog_msg(setroubleshootd_t)
 logging_stream_connect_auditd(setroubleshootd_t)
 
 seutil_read_config(setroubleshootd_t)
+seutil_read_file_contexts(setroubleshootd_t)
 
 sysnet_read_config(setroubleshootd_t)
 
+userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
+
 ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_ptys(setroubleshootd_t)
 	term_dontaudit_use_unallocated_ttys(setroubleshootd_t)
