[selinux-policy] - Add policy for ajaxterm
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Sep 9 14:01:19 UTC 2010
commit 30a7d17203d660c229328a65eec696ce1ce242f1
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Sep 9 09:58:12 2010 -0400
- Add policy for ajaxterm
modules-targeted.conf | 7 ++
policy-F14.patch | 246 +++++++++++++++++++++++++++++++++++++++++++------
selinux-policy.spec | 5 +-
3 files changed, 228 insertions(+), 30 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 3164f2c..1a70e73 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -25,6 +25,13 @@ accountsd = module
#
acct = base
+# Layer: services
+# Module: ajaxterm
+#
+# Web Based Terminal
+#
+ajaxterm = module
+
# Layer: admin
# Module: alsa
#
diff --git a/policy-F14.patch b/policy-F14.patch
index 399f776..b7ea4eb 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -3777,7 +3777,7 @@ index 9a6d67d..47aa143 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..58899ca 100644
+index cbf4bec..ec6a1ff 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3850,7 +3850,7 @@ index cbf4bec..58899ca 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,78 @@ optional_policy(`
+@@ -266,3 +291,79 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -3918,6 +3918,7 @@ index cbf4bec..58899ca 100644
+optional_policy(`
+ nsplugin_domtrans(mozilla_plugin_t)
+ nsplugin_rw_exec(mozilla_plugin_t)
++ nsplugin_manage_home_dirs(mozilla_plugin_t)
+ nsplugin_manage_home_files(mozilla_plugin_t)
+')
+
@@ -4031,10 +4032,10 @@ index 0000000..63abc5c
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
-index 0000000..4dd9d05
+index 0000000..c779d44
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,374 @@
+@@ -0,0 +1,392 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -4321,6 +4322,24 @@ index 0000000..4dd9d05
+
+########################################
+## <summary>
++## manage nnsplugin home dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsplugin_manage_home_dirs',`
++ gen_require(`
++ type nsplugin_home_t;
++ ')
++
++ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
++')
++
++########################################
++## <summary>
+## Allow attempts to read and write to
+## nsplugin named pipes.
+## </summary>
@@ -6895,7 +6914,7 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..b267560 100644
+index 0eb1d97..b42af1b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@@ -6956,15 +6975,19 @@ index 0eb1d97..b267560 100644
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -220,6 +234,7 @@ ifdef(`distro_gentoo',`
+@@ -218,8 +232,11 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +243,8 @@ ifdef(`distro_gentoo',`
+@@ -228,6 +245,8 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6973,7 +6996,7 @@ index 0eb1d97..b267560 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +331,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +333,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -6981,7 +7004,7 @@ index 0eb1d97..b267560 100644
')
ifdef(`distro_suse', `
-@@ -340,3 +358,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +360,27 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7041,7 +7064,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 2ecdde8..bb4adcb 100644
+index 2ecdde8..f15e5ba 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -24,6 +24,7 @@ dev_node(ppp_device_t)
@@ -7052,7 +7075,7 @@ index 2ecdde8..bb4adcb 100644
########################################
#
-@@ -64,6 +65,7 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -64,20 +65,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -7060,7 +7083,9 @@ index 2ecdde8..bb4adcb 100644
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -72,12 +74,15 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
+ network_port(afs_vl, udp,7003,s0)
+ network_port(agentx, udp,705,s0, tcp,705,s0)
++network_port(ajaxterm, tcp,8022,s0)
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
@@ -7076,7 +7101,7 @@ index 2ecdde8..bb4adcb 100644
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -85,6 +90,7 @@ network_port(clamd, tcp,3310,s0)
+@@ -85,6 +91,7 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -7084,7 +7109,7 @@ index 2ecdde8..bb4adcb 100644
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -97,7 +103,9 @@ network_port(dict, tcp,2628,s0)
+@@ -97,7 +104,9 @@ network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
@@ -7094,7 +7119,7 @@ index 2ecdde8..bb4adcb 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -109,7 +117,7 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -109,7 +118,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -7103,7 +7128,7 @@ index 2ecdde8..bb4adcb 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -123,30 +131,34 @@ network_port(iscsi, tcp,3260,s0)
+@@ -123,30 +132,34 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -7142,7 +7167,7 @@ index 2ecdde8..bb4adcb 100644
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -154,12 +166,20 @@ network_port(pegasus_http, tcp,5988,s0)
+@@ -154,12 +167,20 @@ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -7163,7 +7188,7 @@ index 2ecdde8..bb4adcb 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +194,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -174,24 +195,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7196,7 +7221,7 @@ index 2ecdde8..bb4adcb 100644
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,16 +225,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -201,16 +226,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -8818,7 +8843,7 @@ index 437a42a..8d6d333 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 0dff98e..930062c 100644
+index 0dff98e..31ebaa7 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -8842,7 +8867,14 @@ index 0dff98e..930062c 100644
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
-@@ -106,6 +108,15 @@ fs_type(ibmasmfs_t)
+@@ -100,12 +102,22 @@ type hugetlbfs_t;
+ fs_type(hugetlbfs_t)
+ files_mountpoint(hugetlbfs_t)
+ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
++dev_associate_sysfs(hugetlbfs_t)
+
+ type ibmasmfs_t;
+ fs_type(ibmasmfs_t)
allow ibmasmfs_t self:filesystem associate;
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
@@ -8858,7 +8890,7 @@ index 0dff98e..930062c 100644
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-@@ -148,6 +159,12 @@ fs_type(squash_t)
+@@ -148,6 +160,12 @@ fs_type(squash_t)
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
files_mountpoint(squash_t)
@@ -8871,7 +8903,7 @@ index 0dff98e..930062c 100644
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
-@@ -168,6 +185,7 @@ fs_type(tmpfs_t)
+@@ -168,6 +186,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -8879,7 +8911,7 @@ index 0dff98e..930062c 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -247,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -247,6 +266,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -11746,6 +11778,158 @@ index 97c9cae..c24bd66 100644
optional_policy(`
ccs_stream_connect(aisexec_t)
')
+diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
+new file mode 100644
+index 0000000..aeb1888
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
++
++/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
++
++/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
+diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
+new file mode 100644
+index 0000000..581ae6e
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.if
+@@ -0,0 +1,72 @@
++
++## <summary>policy for ajaxterm</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run ajaxterm.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ajaxterm_domtrans',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_exec_t;
++ ')
++
++ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
++')
++
++
++########################################
++## <summary>
++## Execute ajaxterm server in the ajaxterm domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ajaxterm_initrc_domtrans',`
++ gen_require(`
++ type ajaxterm_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an ajaxterm environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ajaxterm_admin',`
++ gen_require(`
++ type ajaxterm_t;
++ type ajaxterm_initrc_exec_t;
++ ')
++
++ allow $1 ajaxterm_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ajaxterm_t)
++
++ ajaxterm_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ajaxterm_initrc_exec_t system_r;
++ allow $2 system_r;
++
++')
+diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
+new file mode 100644
+index 0000000..3441758
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.te
+@@ -0,0 +1,56 @@
++policy_module(ajaxterm,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ajaxterm_t;
++type ajaxterm_exec_t;
++init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
++
++type ajaxterm_initrc_exec_t;
++init_script_file(ajaxterm_initrc_exec_t)
++
++type ajaxterm_var_run_t;
++files_pid_file(ajaxterm_var_run_t)
++
++type ajaxterm_devpts_t;
++term_login_pty(ajaxterm_devpts_t)
++
++permissive ajaxterm_t;
++
++########################################
++#
++# ajaxterm local policy
++#
++allow ajaxterm_t self:capability setuid;
++allow ajaxterm_t self:process setpgid;
++allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
++allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
++allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
++
++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
++term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
++
++manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
++
++kernel_read_system_state(ajaxterm_t)
++
++corecmd_exec_bin(ajaxterm_t)
++
++corenet_tcp_bind_generic_node(ajaxterm_t)
++corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
++
++dev_read_urand(ajaxterm_t)
++
++domain_use_interactive_fds(ajaxterm_t)
++
++files_read_etc_files(ajaxterm_t)
++files_read_usr_files(ajaxterm_t)
++
++miscfiles_read_localization(ajaxterm_t)
++
++sysnet_dns_name_resolve(ajaxterm_t)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index adb3d5f..de26af5 100644
--- a/policy/modules/services/amavis.if
@@ -15860,7 +16044,7 @@ index 2a0f1c1..ab82c3c 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..63c82b7 100644
+index 39e901a..87fc055 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
@@ -15971,7 +16155,7 @@ index 39e901a..63c82b7 100644
+#
+interface(`dbus_delete_pid_files',`
+ gen_require(`
-+ type dbus_var_run_t;
++ type system_dbusd_var_run_t;
+ ')
+
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
@@ -20764,7 +20948,7 @@ index 4996f62..975deca 100644
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index f3d5790..196f2a2 100644
+index f3d5790..80161cd 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
@@ -20808,7 +20992,7 @@ index f3d5790..196f2a2 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -113,6 +121,8 @@ sysnet_manage_config(openvpn_t)
+@@ -113,9 +121,11 @@ sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
@@ -20816,7 +21000,11 @@ index f3d5790..196f2a2 100644
+userdom_attach_admin_tun_iface(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
- userdom_read_user_home_content_files(openvpn_t)
+- userdom_read_user_home_content_files(openvpn_t)
++ userdom_search_user_home_dirs(openvpn_t)
+ ')
+
+ tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
@@ -138,3 +148,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ad2d720..8974d7b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.3
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Thu Sep 8 2010 Dan Walsh <dwalsh at redhat.com> 3.9.3-3
+- Add policy for ajaxterm
+
* Wed Sep 8 2010 Dan Walsh <dwalsh at redhat.com> 3.9.3-2
- Handle /var/db/sudo
- Allow pulseaudio to read alsa config
More information about the scm-commits
mailing list