[selinux-policy: 1/4] Committing my changes
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Dec 20 17:20:32 UTC 2011
commit ad10efc1aadbe7b7865e234372de2dc4ad804f8d
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Dec 15 16:28:30 2011 -0500
Committing my changes
default_trans.patch | 44 +++++++++++++++++++++++++++++++++++++++-----
selinux-policy.spec | 6 ++++--
thumb.patch | 50 ++++++++++++++++++++++++++++++++++++++++++--------
3 files changed, 85 insertions(+), 15 deletions(-)
---
diff --git a/default_trans.patch b/default_trans.patch
index 617a301..231f341 100644
--- a/default_trans.patch
+++ b/default_trans.patch
@@ -1,11 +1,45 @@
-diff --git a/policy/mcs b/policy/mcs
-index ed7a0c1..90d0b1e 100644
---- a/policy/mcs
-+++ b/policy/mcs
+diff -up serefpolicy-3.10.0/policy/mcs.trans serefpolicy-3.10.0/policy/mcs
+--- serefpolicy-3.10.0/policy/mcs.trans 2011-12-05 16:30:45.081703537 -0500
++++ serefpolicy-3.10.0/policy/mcs 2011-12-05 16:34:09.674001926 -0500
@@ -1,4 +1,6 @@
ifdef(`enable_mcs',`
-+default_trans level dir_file_class_set parent;
++default_range dir_file_class_set target low;
+
#
# Define sensitivities
#
+diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
+index 26c13f2..2354089 100644
+--- a/policy/modules/kernel/devices.fc
++++ b/policy/modules/kernel/devices.fc
+@@ -205,6 +205,7 @@ ifdef(`distro_redhat',`
+ # /sys
+ #
+ /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
++/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
+
+ /usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
+ /usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
+index 112bebb..8f727be 100644
+--- a/policy/modules/kernel/devices.te
++++ b/policy/modules/kernel/devices.te
+@@ -226,8 +226,8 @@ fs_type(sysfs_t)
+ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+
+ type cpu_online_t;
+-allow cpu_online_t sysfs_t:filesystem associate;
+-genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
++files_type(cpu_online_t)
++dev_associate_sysfs(cpu_online_t)
+
+ #
+ # Type for /dev/tpm
+diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
+index 7be4ddf..f7021a0 100644
+--- a/policy/modules/kernel/kernel.fc
++++ b/policy/modules/kernel/kernel.fc
+@@ -1 +1,2 @@
+-# This module currently does not have any file contexts.
++
++/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 54e97bc..3879f8e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,13 +17,14 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 68%{?dist}
+Release: 68.1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-F16.patch
patch1: unconfined_permissive.patch
patch2: thumb.patch
+patch3: default_trans.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -238,7 +239,8 @@ Based off of reference policy: Checked out revision 2.20091117
%setup -n serefpolicy-%{version} -q
%patch -p1
%patch1 -p1 -b .unconfined
-#%patch2 -p1 -b .thumb
+%patch2 -p1 -b .thumb
+#%patch3 -p1 -b .trans
%install
mkdir selinux_config
diff --git a/thumb.patch b/thumb.patch
index 97ff409..c4f9967 100644
--- a/thumb.patch
+++ b/thumb.patch
@@ -1,16 +1,50 @@
-diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
-index 1105ff5..620e17b 100644
---- a/policy/modules/roles/unconfineduser.te
-+++ b/policy/modules/roles/unconfineduser.te
-@@ -188,6 +188,11 @@ optional_policy(`
- rtkit_scheduled(unconfined_usertype)
+diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.thumb serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
+--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.thumb 2011-12-13 16:04:19.597732170 -0500
++++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-12-13 16:04:42.718741218 -0500
+@@ -160,6 +160,11 @@ optional_policy(`
+ rtkit_scheduled(unconfined_t)
')
+ # Might remove later if this proves to be problematic, but would like to gather AVCs
+ optional_policy(`
-+ thumb_role(unconfined_r, unconfined_usertype)
++ thumb_role(unconfined_r, unconfined_t)
+ ')
+
optional_policy(`
- setroubleshoot_dbus_chat(unconfined_usertype)
+ setroubleshoot_dbus_chat(unconfined_t)
setroubleshoot_dbus_chat_fixit(unconfined_t)
+diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
+index 26c13f2..2354089 100644
+--- a/policy/modules/kernel/devices.fc
++++ b/policy/modules/kernel/devices.fc
+@@ -205,6 +205,7 @@ ifdef(`distro_redhat',`
+ # /sys
+ #
+ /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
++/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
+
+ /usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
+ /usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
+index 112bebb..8f727be 100644
+--- a/policy/modules/kernel/devices.te
++++ b/policy/modules/kernel/devices.te
+@@ -226,8 +226,8 @@ fs_type(sysfs_t)
+ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+
+ type cpu_online_t;
+-allow cpu_online_t sysfs_t:filesystem associate;
+-genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
++files_type(cpu_online_t)
++dev_associate_sysfs(cpu_online_t)
+
+ #
+ # Type for /dev/tpm
+diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
+index 7be4ddf..f7021a0 100644
+--- a/policy/modules/kernel/kernel.fc
++++ b/policy/modules/kernel/kernel.fc
+@@ -1 +1,2 @@
+-# This module currently does not have any file contexts.
++
++/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
More information about the scm-commits
mailing list