[selinux-policy/f14/master] - Pull in cleanups from dgrift - Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota

Daniel J Walsh dwalsh at fedoraproject.org
Sat Sep 25 10:34:55 UTC 2010 

commit a39a877ba473e2293244cf80ddcee3e087145d8a
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Sat Sep 25 06:34:41 2010 -0400

    - Pull in cleanups from dgrift
    - Allow mozilla_plugin_t to execute mozilla_home_t
    - Allow rpc.quota to do quotamod

 policy-F14.patch |   33 ++++++++++++++++++---------------
 1 files changed, 18 insertions(+), 15 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 9f77722..3762ed8 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -2144,10 +2144,10 @@ index 0000000..7fe26f3
 +')
 diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
 new file mode 100644
-index 0000000..4da3d86
+index 0000000..910a3f4
 --- /dev/null
 +++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,65 @@
 +policy_module(firewallgui,1.0.0)
 +
 +########################################
@@ -2167,8 +2167,7 @@ index 0000000..4da3d86
 +# firewallgui local policy
 +#
 +
-+allow firewallgui_t self:capability net_admin;
-+
++allow firewallgui_t self:capability { net_admin sys_rawio } ;
 +allow firewallgui_t self:fifo_file rw_fifo_file_perms;
 +
 +manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
@@ -7695,7 +7694,7 @@ index aad8c52..0d8458a 100644
 +	dontaudit $1 domain:socket_class_set { read write };
 +')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index 099f57f..d58ef64 100644
+index 099f57f..5843cad 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
@@ -7739,21 +7738,24 @@ index 099f57f..d58ef64 100644
  
  # Use trusted objects in /dev
  dev_rw_null(domain)
-@@ -104,6 +122,13 @@ term_use_controlling_term(domain)
+@@ -103,6 +121,16 @@ term_use_controlling_term(domain)
+ 
  # list the root directory
  files_list_root(domain)
- 
++# allow all domains to search through default_t directory, since users sometimes
++# place labels within these directories.  (samba_share_t) for example.
++files_search_default(domain)
++
 +# All executables should be able to search the directory they are in
 +corecmd_search_bin(domain)
 +
 +tunable_policy(`domain_kernel_load_modules',`
 +	kernel_request_load_module(domain)
 +')
-+
+ 
  tunable_policy(`global_ssp',`
  	# enable reading of urandom for all domains:
- 	# this should be enabled when all programs
-@@ -113,8 +138,13 @@ tunable_policy(`global_ssp',`
+@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',`
  ')
  
  optional_policy(`
@@ -7767,7 +7769,7 @@ index 099f57f..d58ef64 100644
  ')
  
  optional_policy(`
-@@ -125,6 +155,8 @@ optional_policy(`
+@@ -125,6 +158,8 @@ optional_policy(`
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -7776,7 +7778,7 @@ index 099f57f..d58ef64 100644
  ')
  
  ########################################
-@@ -143,6 +175,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
  allow unconfined_domain_type domain:fd use;
  allow unconfined_domain_type domain:fifo_file rw_file_perms;
  
@@ -7785,7 +7787,7 @@ index 099f57f..d58ef64 100644
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -160,3 +194,81 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,81 @@ allow unconfined_domain_type domain:key *;
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -34714,7 +34716,7 @@ index aa6e5a8..42a0efb 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 6f1e3c7..39c2bb3 100644
+index 6f1e3c7..6a160b2 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
 @@ -2,13 +2,23 @@
@@ -34791,7 +34793,7 @@ index 6f1e3c7..39c2bb3 100644
  /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
  ifdef(`distro_debian', `
-@@ -89,17 +98,43 @@ ifdef(`distro_debian', `
+@@ -89,17 +98,44 @@ ifdef(`distro_debian', `
  
  /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
@@ -34806,6 +34808,7 @@ index 6f1e3c7..39c2bb3 100644
 -/var/log/[kw]dm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
 -/var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/gdm(/.*)?		gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 +/var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 +/var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)

More information about the scm-commits mailing list