[selinux-policy: 1571/3172] testing fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:21:01 UTC 2010
commit e9b9e452143e3f1ea8203527846de074a4759c0c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Aug 18 18:20:22 2006 +0000
testing fixes
policy/modules/kernel/corecommands.fc | 2 ++
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/devices.fc | 7 ++++++-
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/terminal.fc | 10 +++++++---
policy/modules/kernel/terminal.te | 2 +-
policy/modules/system/init.te | 7 ++++++-
policy/modules/system/libraries.fc | 12 ++++++++++++
policy/modules/system/libraries.te | 2 +-
policy/modules/system/logging.te | 8 +++++---
policy/modules/system/modutils.fc | 7 +++++++
policy/modules/system/modutils.te | 4 ++--
12 files changed, 51 insertions(+), 14 deletions(-)
---
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 8745c6f..bcf84b3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -103,6 +103,8 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
ifdef(`distro_gentoo',`
+/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
+/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 854ca0e..5805cd0 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.3.11)
+policy_module(corecommands,1.3.12)
########################################
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index e1e67f6..f8735a4 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -12,7 +12,6 @@
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
@@ -99,6 +98,12 @@ ifdef(`distro_suse', `
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+ifdef(`distro_gentoo',`
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+')
+
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 9d20945..c7aee13 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.16)
+policy_module(devices,1.1.17)
########################################
#
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index df0d76c..22ef391 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -1,10 +1,11 @@
/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+/dev/[pt]ty[a-ep-z][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0)
/dev/adb.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/capi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
/dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -17,7 +18,7 @@
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
+/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -29,4 +30,7 @@
ifdef(`distro_gentoo',`
/dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 9fa8156..216751b 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
-policy_module(terminal,1.1.2)
+policy_module(terminal,1.1.3)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d798bd0..9580954 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.19)
+policy_module(init,1.3.20)
gen_require(`
class passwd rootok;
@@ -397,6 +397,11 @@ ifdef(`distro_debian',`
')
ifdef(`distro_gentoo',`
+ # needed until baselayout is fixed to have the
+ # restorecon on /dev to again be immediately after
+ # mounting tmpfs on /dev
+ fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
+
optional_policy(`
arpwatch_manage_data_files(initrc_t)
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 054f2bb..ec811c6 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -64,8 +64,20 @@ ifdef(`distro_gentoo',`
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
+# despite the extensions, they're actually libs
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api gen_context(system_u:object_r:shlib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.api gen_context(system_u:object_r:shlib_t,s0)
+
/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/codecs/.*\.so gen_context(system_u:object_r:shlib_t,s0)
+/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/common/.*\.so gen_context(system_u:object_r:shlib_t,s0)
+/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/lib/.*\.so gen_context(system_u:object_r:shlib_t,s0)
+/opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/mozilla/.*\.so gen_context(system_u:object_r:shlib_t,s0)
')
#
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index a1dd7d3..0123603 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.3.10)
+policy_module(libraries,1.3.11)
########################################
#
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index f209df6..0c1b3ed 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.3.8)
+policy_module(logging,1.3.9)
########################################
#
@@ -255,11 +255,13 @@ optional_policy(`
# syslogd local policy
#
-# sys_admin chown fsetid for syslog-ng
+# chown fsetid for syslog-ng
+# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
-allow syslogd_t self:process signal_perms;
+# setpgid for metalog
+allow syslogd_t self:process { signal_perms setpgid };
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index aa219c1..688afeb 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -2,6 +2,12 @@
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
+ifdef(`distro_gentoo',`
+# gentoo init scripts still manage this file
+# even if devfs is off
+/etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0)
+')
+
/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
@@ -12,5 +18,6 @@
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f50a402..3884dde 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
-policy_module(modutils,1.1.3)
+policy_module(modutils,1.1.4)
gen_require(`
bool secure_mode_insmod;
@@ -68,7 +68,7 @@ files_read_kernel_modules(insmod_t)
# for locking: (cjp: ????)
files_write_kernel_modules(insmod_t)
-dev_search_sysfs(insmod_t)
+dev_read_sysfs(insmod_t)
dev_search_usbfs(insmod_t)
dev_rw_mtrr(insmod_t)
dev_read_urand(insmod_t)
More information about the scm-commits
mailing list