[selinux-policy/f15/master] - Other fixes to make boot working

Miroslav Grepl mgrepl at fedoraproject.org
Fri Apr 1 11:56:40 UTC 2011 

commit d9e807e4675b28c22c8b43a6593712c2f7012c0a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Apr 1 13:57:06 2011 +0000

    - Other fixes to make boot working

 policy-F15.patch    |   86 ++++++++++++++++++++++++++++++++++++++++++--------
 selinux-policy.spec |    5 ++-
 2 files changed, 76 insertions(+), 15 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 716da52..92bf5ab 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1415,16 +1415,17 @@ index af55369..f77e897 100644
 +	')
 +')
 diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
-index 7077413..56d1ecb 100644
+index 7077413..6bc0fa8 100644
 --- a/policy/modules/admin/readahead.fc
 +++ b/policy/modules/admin/readahead.fc
-@@ -1,3 +1,6 @@
+@@ -1,3 +1,7 @@
  /usr/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
  /sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
  /var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
 +/lib/systemd/systemd-readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 +
 +/dev/\.systemd/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_run_t,s0)
++/var/run/systemd/readahead(/.*)?  gen_context(system_u:object_r:readahead_var_run_t,s0)
 diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
 index 47c4723..1f57c34 100644
 --- a/policy/modules/admin/readahead.if
@@ -1474,7 +1475,7 @@ index 47c4723..1f57c34 100644
 +')
 +
 diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index b4ac57e..275323b 100644
+index b4ac57e..785c319 100644
 --- a/policy/modules/admin/readahead.te
 +++ b/policy/modules/admin/readahead.te
 @@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -1493,7 +1494,7 @@ index b4ac57e..275323b 100644
  dontaudit readahead_t self:capability { net_admin sys_tty_config };
  allow readahead_t self:process { setsched signal_perms };
  
-@@ -31,7 +32,10 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+@@ -31,13 +32,17 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
  files_search_var_lib(readahead_t)
  
  manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
@@ -1505,7 +1506,14 @@ index b4ac57e..275323b 100644
  
  kernel_read_all_sysctls(readahead_t)
  kernel_read_system_state(readahead_t)
-@@ -53,10 +57,18 @@ domain_read_all_domains_state(readahead_t)
+ kernel_dontaudit_getattr_core_if(readahead_t)
+ 
+ dev_read_sysfs(readahead_t)
++dev_read_kmsg(readahead_t)
+ dev_getattr_generic_chr_files(readahead_t)
+ dev_getattr_generic_blk_files(readahead_t)
+ dev_getattr_all_chr_files(readahead_t)
+@@ -53,10 +58,18 @@ domain_read_all_domains_state(readahead_t)
  
  files_list_non_security(readahead_t)
  files_read_non_security_files(readahead_t)
@@ -1524,7 +1532,7 @@ index b4ac57e..275323b 100644
  
  fs_getattr_all_fs(readahead_t)
  fs_search_auto_mountpoints(readahead_t)
-@@ -66,12 +78,14 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,12 +79,14 @@ fs_read_cgroup_files(readahead_t)
  fs_read_tmpfs_files(readahead_t)
  fs_read_tmpfs_symlinks(readahead_t)
  fs_list_inotifyfs(readahead_t)
@@ -1539,6 +1547,15 @@ index b4ac57e..275323b 100644
  
  storage_raw_read_fixed_disk(readahead_t)
  
+@@ -82,6 +97,8 @@ auth_dontaudit_read_shadow(readahead_t)
+ init_use_fds(readahead_t)
+ init_use_script_ptys(readahead_t)
+ init_getattr_initctl(readahead_t)
++# needs to write to /run/systemd/notify
++init_write_pid_socket(readahead_t)
+ 
+ logging_send_syslog_msg(readahead_t)
+ logging_set_audit_parameters(readahead_t)
 diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
 index b206bf6..48922c9 100644
 --- a/policy/modules/admin/rpm.fc
@@ -12213,7 +12230,7 @@ index 59bae6a..2e55e71 100644
 +/dev/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/dev/hugepages(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..40bfd0f 100644
+index dfe361a..6d1083f 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -12784,7 +12801,7 @@ index dfe361a..40bfd0f 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3989,6 +4334,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3989,6 +4334,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -12804,6 +12821,24 @@ index dfe361a..40bfd0f 100644
 +	dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
 +')
 +
++#######################################
++## <summary>
++##  Create directory  on tmpfs filesystems.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`fs_create_tmpfs_dir',`
++    gen_require(`
++        type tmpfs_t;
++    ')
++
++    create_dirs_pattern($1, tmpfs_t, tmpfs_t)
++')
++
 +########################################
 +## <summary>
 +##	Relabelfrom directory  on tmpfs filesystems.
@@ -12827,7 +12862,7 @@ index dfe361a..40bfd0f 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4670,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -12836,7 +12871,7 @@ index dfe361a..40bfd0f 100644
  ')
  
  ########################################
-@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5082,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -47563,7 +47598,7 @@ index 354ce93..f97fbb7 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..05b4982 100644
+index cc83689..9deaed9 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -48121,7 +48156,7 @@ index cc83689..05b4982 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2052,120 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2052,139 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -48197,6 +48232,25 @@ index cc83689..05b4982 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 +
++#######################################
++## <summary>
++##  Allow the specified domain to write to
++##  init sock file.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`init_write_pid_socket',`
++    gen_require(`
++        type init_var_run_t;
++    ')
++
++    allow $1 init_var_run_t:sock_file write;
++')
++
 +########################################
 +## <summary>
 +##	Send a message to init over a unix domain
@@ -53312,10 +53366,10 @@ index 0000000..aabfb0d
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..a0f5414
+index 0000000..26811b0
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,163 @@
+@@ -0,0 +1,167 @@
 +
 +policy_module(systemd, 1.0.0)
 +
@@ -53396,6 +53450,10 @@ index 0000000..a0f5414
 +
 +dev_write_kmsg(systemd_tmpfiles_t)
 +
++# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
++fs_create_tmpfs_dir(systemd_tmpfiles_t)
++fs_relabelfrom_tmpfs_dir(systemd_tmpfiles_t)
++
 +files_read_etc_files(systemd_tmpfiles_t)
 +files_getattr_all_dirs(systemd_tmpfiles_t)
 +files_getattr_all_files(systemd_tmpfiles_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c971b22..7803bdc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Apr 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-9
+- Other fixes to make boot working
+
 * Thu Mar 31 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-8
 - A lot of fixes making /run change working
 - Add subs file to equate /var/run with /run and /var/lock with /run/lock

More information about the scm-commits mailing list