[selinux-policy: 2909/3172] Fix some names in passenger policy
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:19:00 UTC 2010
commit 3034a8d941e74701a585c0c88d6620138df69c50
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Sep 13 10:26:10 2010 -0400
Fix some names in passenger policy
policy/modules/apps/chrome.te | 3 +++
policy/modules/apps/nsplugin.te | 2 ++
policy/modules/services/apache.te | 2 +-
policy/modules/services/corosync.te | 16 +++++++---------
policy/modules/services/gnomeclock.fc | 2 ++
policy/modules/services/passenger.if | 15 ++++++++-------
policy/modules/services/passenger.te | 15 ++++++++-------
policy/modules/system/init.if | 19 +++++++++++++++++++
policy/modules/system/mount.te | 2 ++
9 files changed, 52 insertions(+), 24 deletions(-)
---
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
index 5725183..b09816f 100644
--- a/policy/modules/apps/chrome.te
+++ b/policy/modules/apps/chrome.te
@@ -38,6 +38,9 @@ fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
kernel_read_system_state(chrome_sandbox_t)
kernel_read_kernel_sysctls(chrome_sandbox_t)
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+
corecmd_exec_bin(chrome_sandbox_t)
domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
index 23890a7..7bc0dcf 100644
--- a/policy/modules/apps/nsplugin.te
+++ b/policy/modules/apps/nsplugin.te
@@ -63,6 +63,8 @@ allow nsplugin_t self:msgq create_msgq_perms;
allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow nsplugin_t self:unix_dgram_socket create_socket_perms;
allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
tunable_policy(`allow_nsplugin_execmem',`
allow nsplugin_t self:process { execstack execmem };
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 6db2fe7..86641dd 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -724,7 +724,7 @@ optional_policy(`
optional_policy(`
passenger_domtrans(httpd_t)
- passenger_manage_state_content(httpd_t)
+ passenger_manage_pid_content(httpd_t)
passenger_read_lib_files(httpd_t)
')
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index 9d97456..fdb0dcb 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -5,13 +5,6 @@ policy_module(corosync, 1.0.0)
# Declarations
#
-## <desc>
-## <p>
-## Allow corosync to read and write generic tmpfs files.
-## </p>
-## </desc>
-gen_tunable(allow_corosync_rw_tmpfs, false)
-
type corosync_t;
type corosync_exec_t;
init_daemon_domain(corosync_t, corosync_exec_t)
@@ -98,8 +91,13 @@ miscfiles_read_localization(corosync_t)
userdom_delete_user_tmpfs_files(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
-tunable_policy(`allow_corosync_rw_tmpfs',`
- fs_rw_tmpfs_files(corosync_t)
+optional_policy(`
+ gen_require(`
+ attribute unconfined_services;
+ ')
+
+ fs_manage_tmpfs_files(corosync_t)
+ init_manage_script_status_files(corosync_t)
')
optional_policy(`
diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
index 462de63..a8ce02e 100644
--- a/policy/modules/services/gnomeclock.fc
+++ b/policy/modules/services/gnomeclock.fc
@@ -1,2 +1,4 @@
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if
index e738452..7ca90f6 100644
--- a/policy/modules/services/passenger.if
+++ b/policy/modules/services/passenger.if
@@ -13,6 +13,7 @@
interface(`passenger_domtrans',`
gen_require(`
type passenger_t;
+ type passenger_exec_t;
')
allow $1 self:capability { fowner fsetid };
@@ -26,7 +27,7 @@ interface(`passenger_domtrans',`
######################################
## <summary>
-## Manage passenger state content.
+## Manage passenger var_run content.
## </summary>
## <param name="domain">
## <summary>
@@ -34,16 +35,16 @@ interface(`passenger_domtrans',`
## </summary>
## </param>
#
-interface(`passenger_manage_state_content',`
+interface(`passenger_manage_pid_content',`
gen_require(`
- type passenger_state_t;
+ type passenger_var_run_t;
')
files_search_pids($1)
- manage_dirs_pattern($1, passenger_state_t, passenger_state_t)
- manage_files_pattern($1, passenger_state_t, passenger_state_t)
- manage_fifo_files_pattern($1, passenger_state_t, passenger_state_t)
- manage_sock_files_pattern($1, passenger_state_t, passenger_state_t)
+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
')
########################################
diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
index 845d90f..9cb0d1c 100644
--- a/policy/modules/services/passenger.te
+++ b/policy/modules/services/passenger.te
@@ -18,8 +18,8 @@ files_tmp_file(passenger_tmp_t)
type passenger_var_lib_t;
files_type(passenger_var_lib_t)
-type passenger_state_t;
-files_pid_file(passenger_state_t)
+type passenger_var_run_t;
+files_pid_file(passenger_var_run_t)
permissive passenger_t;
@@ -34,15 +34,16 @@ allow passenger_t self:process signal;
allow passenger_t self:fifo_file rw_fifo_file_perms;
allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
-manage_dirs_pattern(passenger_t, passenger_state_t, passenger_state_t)
-manage_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
-manage_fifo_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
-manage_sock_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
-
files_search_var_lib(passenger_t)
manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f28524b..447aaec 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1541,6 +1541,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
+## Manage init script
+## status files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ manage_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read init script
## status files.
## </summary>
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index a2f7102..1f8fee9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -141,6 +141,8 @@ fs_read_tmpfs_symlinks(mount_t)
fs_read_fusefs_files(mount_t)
fs_manage_nfs_dirs(mount_t)
fs_read_nfs_symlinks(mount_t)
+fs_manage_cgroup_dirs(mount_t)
+fs_manage_cgroup_files(mount_t)
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
More information about the scm-commits
mailing list