[selinux-policy] Fixes caused by the labeling of /etc/passwd Add thumb.patch to transition unconfined_t to thumb_t fo

Fri Sep 30 14:22:56 UTC 2011

commit e15ae4fa849c728abf3e191d1deef9373b6e969e
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Fri Sep 30 10:22:41 2011 -0400

    Fixes caused by the labeling of /etc/passwd
    Add thumb.patch to transition unconfined_t to thumb_t for Rawhide

 passwd.patch        |   25 +++++++++++++++++++++++++
 selinux-policy.spec |    6 ++++--
 thumb.patch         |   16 ++++++++++++++++
 3 files changed, 45 insertions(+), 2 deletions(-)
---

diff --git a/passwd.patch b/passwd.patch
index f507510..8e496c6 100644
--- a/passwd.patch
+++ b/passwd.patch
@@ -138,6 +138,31 @@ index 2b348c7..b89658c 100644
  logging_send_syslog_msg(entropyd_t)
  
  miscfiles_read_localization(entropyd_t)
+diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
+index 4f9a575..5fc3a55 100644
+--- a/policy/modules/services/plymouthd.te
++++ b/policy/modules/services/plymouthd.te
+@@ -75,6 +75,8 @@ init_signal(plymouthd_t)
+ logging_link_generic_logs(plymouthd_t)
+ logging_delete_generic_logs(plymouthd_t)
+ 
++auth_read_passwd(plymouthd_t)
++
+ miscfiles_read_localization(plymouthd_t)
+ miscfiles_read_fonts(plymouthd_t)
+ miscfiles_manage_fonts_cache(plymouthd_t)
+diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
+index 290f8c4..cd2909f 100644
+--- a/policy/modules/services/virt.te
++++ b/policy/modules/services/virt.te
+@@ -881,6 +881,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
+ fs_list_inotifyfs(svirt_lxc_domain)
+ fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
+ 
++auth_dontaudit_read_passwd(svirt_lxc_domain)
+ auth_dontaudit_read_login_records(svirt_lxc_domain)
+ auth_dontaudit_write_login_records(svirt_lxc_domain)
+ auth_search_pam_console_data(svirt_lxc_domain)
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
 index 59742f4..51ca568 100644
 --- a/policy/modules/system/authlogin.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 49f328f..b772eb9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,13 +17,14 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 34.5%{?dist}
+Release: 34.6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch: policy-F16.patch
 patch1: unconfined_permissive.patch
 patch2: passwd.patch
+patch3: thumb.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -470,8 +471,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
-* Thu Sep 29 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-34.4
+* Fri Sep 29 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-34.4
 - Fixes caused by the labeling of /etc/passwd
+- Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
 
 * Thu Sep 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-34.3
 - Add support for Clustered Samba commands
diff --git a/thumb.patch b/thumb.patch
new file mode 100644
index 0000000..df9d9da
--- /dev/null
+++ b/thumb.patch
@@ -0,0 +1,16 @@
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index 1105ff5..620e17b 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -188,6 +188,11 @@ optional_policy(`
+ 		rtkit_scheduled(unconfined_usertype)
+ 	')
+ 
++	# Might remove later if this proves to be problematic, but would like to gather AVC's
++	optional_policy(`
++		thumb_role(unconfined_r, unconfined_usertype)
++	')
++
+ 	optional_policy(`
+ 		setroubleshoot_dbus_chat(unconfined_usertype)
+ 		setroubleshoot_dbus_chat_fixit(unconfined_t)
