[selinux-policy: 1989/3172] trunk: firstboot update from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:56:47 UTC 2010 

commit 93f445b8c092613ffd7e2e2a20e22b4133304a0d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Aug 20 19:45:39 2008 +0000

    trunk: firstboot update from dan.

 policy/modules/admin/firstboot.if |   19 +++++++++++++++++++
 policy/modules/admin/firstboot.te |   12 +++---------
 policy/modules/services/ntp.te    |    3 ++-
 3 files changed, 24 insertions(+), 10 deletions(-)
---
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index 6b6b9fa..402cc7a 100644
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@@ -142,3 +142,22 @@ interface(`firstboot_dontaudit_rw_pipes',`
 
 	dontaudit $1 firstboot_t:fifo_file { read write };
 ')
+
+########################################
+## <summary>
+## 	Do not audit attemps to read and write to a firstboot
+##	unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firstboot_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	dontaudit $1 firstboot_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 93a9c3b..2b56ed7 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
 
-policy_module(firstboot, 1.7.0)
+policy_module(firstboot, 1.7.1)
 
 gen_require(`
 	class passwd rootok;
@@ -35,9 +35,6 @@ allow firstboot_t self:passwd rootok;
 
 allow firstboot_t firstboot_etc_t:file { getattr read };
 
-# The big hammer
-unconfined_domain(firstboot_t) 
-
 kernel_read_system_state(firstboot_t)
 kernel_read_kernel_sysctls(firstboot_t)
 
@@ -63,7 +60,6 @@ corecmd_exec_all_executables(firstboot_t)
 files_exec_etc_files(firstboot_t)
 files_manage_etc_files(firstboot_t)
 files_manage_etc_runtime_files(firstboot_t)
-files_etc_filetrans_etc_runtime(firstboot_t, { file dir })
 files_read_usr_files(firstboot_t)
 files_manage_var_dirs(firstboot_t)
 files_manage_var_files(firstboot_t)
@@ -110,6 +106,8 @@ optional_policy(`
 
 optional_policy(`
 	unconfined_domtrans(firstboot_t)
+	# The big hammer
+	unconfined_domain(firstboot_t) 
 ')
 
 optional_policy(`
@@ -131,8 +129,4 @@ ifdef(`userhelper.te', `
 	role system_r types sysadm_userhelper_t;
 	domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
 ')
-
-ifdef(`xserver.te', `
-	domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
 ') dnl end TODO
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index f10ed7d..1b51801 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
 
-policy_module(ntp, 1.6.0)
+policy_module(ntp, 1.6.1)
 
 ########################################
 #
@@ -117,6 +117,7 @@ optional_policy(`
 optional_policy(`
 	firstboot_dontaudit_use_fds(ntpd_t)
 	firstboot_dontaudit_rw_pipes(ntpd_t)
+	firstboot_dontaudit_rw_stream_sockets(ntpd_t)
 ')
 
 optional_policy(`

More information about the scm-commits mailing list