[selinux-policy] Fix typo in virt.te

Miroslav Grepl mgrepl at fedoraproject.org
Thu Aug 2 06:32:40 UTC 2012 

commit e1fa9080b63d32bfa03c0475374cc4763a356c28
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Thu Aug 2 08:32:00 2012 +0200

    Fix typo in virt.te

 policy-rawhide.patch         |   38 +++++++++++++++++++++++++++++---------
 policy_contrib-rawhide.patch |    4 ++--
 2 files changed, 31 insertions(+), 11 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 64ff603..ce44aa4 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -71841,7 +71841,7 @@ index 7be4ddf..f7021a0 100644
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 4bf45cb..30e39df 100644
+index 4bf45cb..e9855e0 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -72065,7 +72065,7 @@ index 4bf45cb..30e39df 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2956,5 +3092,79 @@ interface(`kernel_unconfined',`
+@@ -2956,5 +3092,98 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -72111,6 +72111,25 @@ index 4bf45cb..30e39df 100644
 +	allow $1 kernel_t:unix_stream_socket { read getattr };
 +')
 +
++#######################################
++## <summary>
++##  Allow the specified domain to write on 
++##  the kernel with a unix socket.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`kernel_stream_write',`
++    gen_require(`
++        type kernel_t;
++    ')
++
++    allow $1 kernel_t:unix_stream_socket { write getattr };
++')
++
 +########################################
 +## <summary>
 +##	Make the specified type usable for regular entries in proc
@@ -85652,7 +85671,7 @@ index 321bb13..e7fd936 100644
 +	init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0034021..a684b91 100644
+index 0034021..ca33705 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -5,6 +5,20 @@ policy_module(logging, 1.19.0)
@@ -85839,7 +85858,7 @@ index 0034021..a684b91 100644
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,13 +430,20 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,13 +430,21 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -85857,10 +85876,11 @@ index 0034021..a684b91 100644
  files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
  
 +kernel_stream_read(syslogd_t)
++kernel_stream_write(syslogd_t)
  kernel_read_system_state(syslogd_t)
  kernel_read_kernel_sysctls(syslogd_t)
  kernel_read_proc_symlinks(syslogd_t)
-@@ -401,7 +452,10 @@ kernel_read_messages(syslogd_t)
+@@ -401,7 +453,10 @@ kernel_read_messages(syslogd_t)
  kernel_clear_ring_buffer(syslogd_t)
  kernel_change_ring_buffer_level(syslogd_t)
  
@@ -85872,7 +85892,7 @@ index 0034021..a684b91 100644
  corenet_all_recvfrom_netlabel(syslogd_t)
  corenet_udp_sendrecv_generic_if(syslogd_t)
  corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,10 +481,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,10 +482,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -85900,7 +85920,7 @@ index 0034021..a684b91 100644
  
  files_read_etc_files(syslogd_t)
  files_read_usr_files(syslogd_t)
-@@ -448,7 +519,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -448,7 +520,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
  term_write_console(syslogd_t)
  # Allow syslog to a terminal
  term_write_unallocated_ttys(syslogd_t)
@@ -85910,7 +85930,7 @@ index 0034021..a684b91 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -460,6 +533,7 @@ init_use_fds(syslogd_t)
+@@ -460,6 +534,7 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -85918,7 +85938,7 @@ index 0034021..a684b91 100644
  
  miscfiles_read_localization(syslogd_t)
  
-@@ -493,15 +567,29 @@ optional_policy(`
+@@ -493,15 +568,29 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 0199ab6..e9ed480 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -61651,7 +61651,7 @@ index 6f0736b..2d43a63 100644
 +	allow svirt_lxc_domain $1:process sigchld;
  ')
 diff --git a/virt.te b/virt.te
-index 947bbc6..274140a 100644
+index 947bbc6..b9f5601 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
@@ -62341,7 +62341,7 @@ index 947bbc6..274140a 100644
 +manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+virt_transition_svirt_lxc(virsh_t)
++virt_transition_svirt_lxc(virsh_t, system_r)
 +
 +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
 +

More information about the scm-commits mailing list