[selinux-policy/f16] - Add fixes for xguest package
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Dec 7 17:37:29 UTC 2011
commit 7ced2aab744f2d7ebedb8ba8ce68d010fd503927
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Dec 7 18:37:09 2011 +0100
- Add fixes for xguest package
file_contexts.subs_dist | 1 +
policy-F16.patch | 48 ++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 5 +++-
3 files changed, 40 insertions(+), 14 deletions(-)
---
diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist
index 39171e2..427372c 100644
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@@ -4,3 +4,4 @@
/lib64 /lib
/usr/lib64 /usr/lib
/etc/systemd/system /lib/systemd/system
+/var/lib/xguest/home /home
diff --git a/policy-F16.patch b/policy-F16.patch
index 3505dbf..c3ef4df 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4417,7 +4417,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..cd9d876 100644
+index 441cf22..8d23813 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4573,17 +4573,23 @@ index 441cf22..cd9d876 100644
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,17 +476,15 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
+mls_process_read_to_clearance(useradd_t)
- # Allow access to context for shadow file
- selinux_get_fs_mount(useradd_t)
-@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t)
- selinux_compute_relabel_context(useradd_t)
- selinux_compute_user_contexts(useradd_t)
+-# Allow access to context for shadow file
+-selinux_get_fs_mount(useradd_t)
+-selinux_validate_context(useradd_t)
+-selinux_compute_access_vector(useradd_t)
+-selinux_compute_create_context(useradd_t)
+-selinux_compute_relabel_context(useradd_t)
+-selinux_compute_user_contexts(useradd_t)
++seutil_semanage_policy(useradd_t)
++seutil_manage_file_contexts(useradd_t)
++seutil_manage_config(useradd_t)
++seutil_manage_default_contexts(useradd_t)
-term_use_all_ttys(useradd_t)
-term_use_all_ptys(useradd_t)
@@ -4592,7 +4598,15 @@ index 441cf22..cd9d876 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -495,24 +509,19 @@ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
+ seutil_domtrans_semanage(useradd_t)
+ seutil_domtrans_setfiles(useradd_t)
++seutil_domtrans_loadpolicy(useradd_t)
++seutil_manage_bin_policy(useradd_t)
++seutil_manage_module_store(useradd_t)
++seutil_get_semanage_trans_lock(useradd_t)
++seutil_get_semanage_read_lock(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -22855,10 +22869,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..4163dc5
+index 0000000..a03e788
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,442 @@
+@@ -0,0 +1,446 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -22965,6 +22979,10 @@ index 0000000..4163dc5
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
++optional_policy(`
++ usermanage_run_useradd(unconfined_t, unconfined_r)
++')
++
+tunable_policy(`allow_execmem',`
+ allow unconfined_t self:process execmem;
+')
@@ -45526,7 +45544,7 @@ index e9c0982..14af30a 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..fdd8615 100644
+index 0a0d63c..d86e78b 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -45585,7 +45603,7 @@ index 0a0d63c..fdd8615 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -155,6 +159,7 @@ optional_policy(`
+@@ -155,9 +159,11 @@ optional_policy(`
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -45593,7 +45611,11 @@ index 0a0d63c..fdd8615 100644
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -170,26 +175,33 @@ kernel_read_system_state(mysqld_safe_t)
++delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+
+ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+
+@@ -170,26 +176,33 @@ kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9c4eb14..f7c9893 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 65%{?dist}
+Release: 66%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Dec 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-66
+- Add fixes for xguest package
+
* Tue Dec 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-65
- Allow abrt to getattr on blk files
- Add type for rhev-agent log file
More information about the scm-commits
mailing list