[selinux-policy: 4/4] Update to handle labeling on /sys using systemd-tmpfiles, also support default_range transition rule
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Dec 20 17:20:47 UTC 2011
commit bce4ec2b6e77f4d9562f40d8dab39d711a197586
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Dec 20 17:20:23 2011 +0000
Update to handle labeling on /sys using systemd-tmpfiles, also support default_range transition rules
default_trans.patch | 35 -----------------------------------
selinux-policy.conf | 2 ++
selinux-policy.spec | 15 +++++++--------
3 files changed, 9 insertions(+), 43 deletions(-)
---
diff --git a/default_trans.patch b/default_trans.patch
index 231f341..b2dfb27 100644
--- a/default_trans.patch
+++ b/default_trans.patch
@@ -8,38 +8,3 @@ diff -up serefpolicy-3.10.0/policy/mcs.trans serefpolicy-3.10.0/policy/mcs
#
# Define sensitivities
#
-diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 26c13f2..2354089 100644
---- a/policy/modules/kernel/devices.fc
-+++ b/policy/modules/kernel/devices.fc
-@@ -205,6 +205,7 @@ ifdef(`distro_redhat',`
- # /sys
- #
- /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
-+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
-
- /usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
- /usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
-diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 112bebb..8f727be 100644
---- a/policy/modules/kernel/devices.te
-+++ b/policy/modules/kernel/devices.te
-@@ -226,8 +226,8 @@ fs_type(sysfs_t)
- genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
-
- type cpu_online_t;
--allow cpu_online_t sysfs_t:filesystem associate;
--genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
-+files_type(cpu_online_t)
-+dev_associate_sysfs(cpu_online_t)
-
- #
- # Type for /dev/tpm
-diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
-index 7be4ddf..f7021a0 100644
---- a/policy/modules/kernel/kernel.fc
-+++ b/policy/modules/kernel/kernel.fc
-@@ -1 +1,2 @@
--# This module currently does not have any file contexts.
-+
-+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/selinux-policy.conf b/selinux-policy.conf
new file mode 100644
index 0000000..f884d05
--- /dev/null
+++ b/selinux-policy.conf
@@ -0,0 +1,2 @@
+z /sys/devices/system/cpu/online - - -
+Z /sys/class/net - - -
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6b3082c..478f7d9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -10,10 +10,9 @@
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
%define BUILD_MLS 1
%endif
-%define POLICYVER 26
-%define libsepolver 2.0.44-2
-%define POLICYCOREUTILSVER 2.0.86-12
-%define CHECKPOLICYVER 2.1.5-2
+%define POLICYVER 27
+%define POLICYCOREUTILSVER 2.1.9-4
+%define CHECKPOLICYVER 2.1.7-2
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
@@ -23,8 +22,6 @@ Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-F16.patch
patch1: unconfined_permissive.patch
-patch2: thumb.patch
-patch3: default_trans.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -44,6 +41,7 @@ Source22: users-mls
Source23: users-targeted
Source25: users-minimum
Source26: file_contexts.subs_dist
+Source27: selinux-policy.conf
Url: http://oss.tresys.com/repos/refpolicy/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -74,6 +72,7 @@ SELinux Base package
%{_usr}/share/selinux/devel/Makefile
%{_usr}/share/selinux/devel/example.*
%{_usr}/share/selinux/devel/policy.*
+%{_usr}/lib/tmpfiles.d/selinux-policy.conf
%package doc
Summary: SELinux policy documentation
@@ -239,8 +238,6 @@ Based off of reference policy: Checked out revision 2.20091117
%setup -n serefpolicy-%{version} -q
%patch -p1
%patch1 -p1 -b .unconfined
-%patch2 -p1 -b .thumb
-#%patch3 -p1 -b .trans
%install
mkdir selinux_config
@@ -256,6 +253,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/selinux
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
touch %{buildroot}%{_sysconfdir}/selinux/config
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
+mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
+cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
# Always create policy module package directories
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
More information about the scm-commits
mailing list