[selinux-policy] - Pull in cleanups from dgrift - Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota
Daniel J Walsh
dwalsh at fedoraproject.org
Sat Sep 25 10:35:28 UTC 2010
commit ab8faf7dcf46d007f1f66bb2b2f04948666bb328
Author: Dan Walsh <dwalsh at redhat.com>
Date: Sat Sep 25 06:35:22 2010 -0400
- Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
policy-F14.patch | 33 ++++++++++++++++++---------------
1 files changed, 18 insertions(+), 15 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 9f77722..3762ed8 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -2144,10 +2144,10 @@ index 0000000..7fe26f3
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
-index 0000000..4da3d86
+index 0000000..910a3f4
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,65 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -2167,8 +2167,7 @@ index 0000000..4da3d86
+# firewallgui local policy
+#
+
-+allow firewallgui_t self:capability net_admin;
-+
++allow firewallgui_t self:capability { net_admin sys_rawio } ;
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
@@ -7695,7 +7694,7 @@ index aad8c52..0d8458a 100644
+ dontaudit $1 domain:socket_class_set { read write };
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index 099f57f..d58ef64 100644
+index 099f57f..5843cad 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
@@ -7739,21 +7738,24 @@ index 099f57f..d58ef64 100644
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -104,6 +122,13 @@ term_use_controlling_term(domain)
+@@ -103,6 +121,16 @@ term_use_controlling_term(domain)
+
# list the root directory
files_list_root(domain)
-
++# allow all domains to search through default_t directory, since users sometimes
++# place labels within these directories. (samba_share_t) for example.
++files_search_default(domain)
++
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
+tunable_policy(`domain_kernel_load_modules',`
+ kernel_request_load_module(domain)
+')
-+
+
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
- # this should be enabled when all programs
-@@ -113,8 +138,13 @@ tunable_policy(`global_ssp',`
+@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -7767,7 +7769,7 @@ index 099f57f..d58ef64 100644
')
optional_policy(`
-@@ -125,6 +155,8 @@ optional_policy(`
+@@ -125,6 +158,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -7776,7 +7778,7 @@ index 099f57f..d58ef64 100644
')
########################################
-@@ -143,6 +175,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -7785,7 +7787,7 @@ index 099f57f..d58ef64 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +194,81 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,81 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -34714,7 +34716,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 6f1e3c7..39c2bb3 100644
+index 6f1e3c7..6a160b2 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,23 @@
@@ -34791,7 +34793,7 @@ index 6f1e3c7..39c2bb3 100644
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,17 +98,43 @@ ifdef(`distro_debian', `
+@@ -89,17 +98,44 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -34806,6 +34808,7 @@ index 6f1e3c7..39c2bb3 100644
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
More information about the scm-commits
mailing list