[selinux-policy: 2837/3172] More fixes

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:12:34 UTC 2010 

commit ac498fa5d921ef21d1b6c511839d92bfa5273347
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Fri Aug 27 10:56:56 2010 -0400

    More fixes

 policy/modules/kernel/devices.if     |   18 ++++++++++++++++++
 policy/modules/roles/dbadm.te        |    2 +-
 policy/modules/services/cobbler.if   |   18 ------------------
 policy/modules/services/devicekit.te |    1 +
 policy/modules/services/xserver.if   |    2 --
 policy/modules/system/init.te        |   13 ++++++++++---
 6 files changed, 30 insertions(+), 24 deletions(-)
---
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 9223f7d..d0aaa1c 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3826,6 +3826,24 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
+##	Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
 ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
 ## </summary>
 ## <desc>
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index a3ddd43..20d9333 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false)
 
 role dbadm_r;
 
-userdom_unpriv_user_template(dbadm)
+userdom_base_user_template(dbadm)
 
 ########################################
 #
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
index a57fe37..1bdfe84 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -148,24 +148,6 @@ interface(`cobbler_manage_lib_files',`
 
 ########################################
 ## <summary>
-##	dontaudit read and write Cobbler log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cobbler_dontaudit_rw_log',`
-	gen_require(`
-		type cobbler_var_log_t;
-	')
-
-	dontaudit $1 cobbler_var_log_t:file rw_inherited_files_perms;
-')
-
-########################################
-## <summary>
 ##	Do not audit attempts to read and write
 ##	Cobbler log files (leaked fd).
 ## </summary>
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index a7de603..1e554a9 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -228,6 +228,7 @@ dev_rw_generic_usb_dev(devicekit_power_t)
 dev_rw_generic_chr_files(devicekit_power_t)
 dev_rw_netcontrol(devicekit_power_t)
 dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
 
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_files(devicekit_power_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 8696a6e..6ff8f25 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -101,8 +101,6 @@ ifdef(`hide_broken_symptoms', `
 	dev_getattr_agp_dev($2)
 	tunable_policy(`user_direct_dri',`
 		dev_rw_dri($2)
-	',`
-		dev_dontaudit_rw_dri($2)
 	')
 
 	# GNOME checks for usb and other devices:
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd266c0..a100eb6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -220,7 +220,7 @@ storage_raw_rw_fixed_disk(init_t)
 modutils_domtrans_insmod(init_t)
 
 tunable_policy(`init_systemd',`
-	allow init_t self:unix_dgram_socket create_socket_perms;
+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow init_t self:process { setsockcreate setfscreate };
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
@@ -239,6 +239,7 @@ tunable_policy(`init_systemd',`
 	dev_read_generic_chr_files(init_t)
 	dev_relabelfrom_generic_chr_files(init_t)
 	dev_relabel_autofs_dev(init_t)
+	dev_manage_sysfs_dirs(init_t)
 
 	files_mounton_all_mountpoints(init_t)
 	files_manage_all_pids_dirs(init_t)
@@ -249,16 +250,17 @@ tunable_policy(`init_systemd',`
 	fs_list_auto_mountpoints(init_t)
 	fs_read_cgroup_files(init_t)
 	fs_write_cgroup_files(init_t)
+	fs_search_cgroup_dirs(daemon)
 
 	selinux_compute_create_context(init_t)
 	selinux_validate_context(init_t)
 	selinux_unmount_fs(init_t)
 
+	storage_getattr_removable_dev(init_t)
+
 	init_read_script_state(init_t)
 
 	seutil_read_file_contexts(init_t)
-
-	storage_getattr_removable_dev(init_t)
 ')
 
 optional_policy(`
@@ -287,6 +289,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	plymouthd_stream_connect(init_t)
+	plymouthd_exec_plymouth(init_t)
+')
+
+optional_policy(`
 	sssd_stream_connect(init_t)
 ')

More information about the scm-commits mailing list