[selinux-policy: 3149/3172] Allow firewallgui to sys_rawio which seems to be required to setup masqerading Allow all domains to
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:39:59 UTC 2010
commit fb52482a1f30f03973f6275b4ce22540d5d57a29
Author: Dan Walsh <dwalsh at redhat.com>
Date: Sat Sep 25 06:23:04 2010 -0400
Allow firewallgui to sys_rawio which seems to be required to setup masqerading
Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba.
Add label for /var/log/slim.log
policy/modules/apps/firewallgui.te | 3 +--
policy/modules/kernel/domain.te | 3 +++
policy/modules/services/xserver.fc | 1 +
3 files changed, 5 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
index 4da3d86..910a3f4 100644
--- a/policy/modules/apps/firewallgui.te
+++ b/policy/modules/apps/firewallgui.te
@@ -17,8 +17,7 @@ files_tmp_file(firewallgui_tmp_t)
# firewallgui local policy
#
-allow firewallgui_t self:capability net_admin;
-
+allow firewallgui_t self:capability { net_admin sys_rawio } ;
allow firewallgui_t self:fifo_file rw_fifo_file_perms;
manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index d58ef64..5843cad 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -121,6 +121,9 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
+# allow all domains to search through default_t directory, since users sometimes
+# place labels within these directories. (samba_share_t) for example.
+files_search_default(domain)
# All executables should be able to search the directory they are in
corecmd_search_bin(domain)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 39c2bb3..6a160b2 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -106,6 +106,7 @@ ifdef(`distro_debian', `
/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
More information about the scm-commits
mailing list