[selinux-policy/f16] +* Wed Jan 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-71 +- New fix for seunshare, requires se
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jan 3 23:26:09 UTC 2012
commit c33872fd60bfb88d44ddca490461206fe71b4326
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Jan 4 00:25:52 2012 +0100
+* Wed Jan 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-71
+- New fix for seunshare, requires seunshare_domains to be able to mounton /
policy-F16.patch | 276 ++++++++++++++++++++++++++-------------------------
selinux-policy.spec | 5 +-
2 files changed, 144 insertions(+), 137 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 68f4fea..2475a02 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -11501,10 +11501,10 @@ index 1dc7a85..a01511f 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..7e6f53c 100644
+index 7590165..0596425 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,60 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -11543,6 +11543,7 @@ index 7590165..7e6f53c 100644
+files_search_all(seunshare_domain)
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
++files_mounton_rootfs(seunshare_domain)
+files_manage_generic_tmp_dirs(seunshare_domain)
+files_relabelfrom_tmp_dirs(seunshare_domain)
@@ -16815,7 +16816,7 @@ index c19518a..12e8e9c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..b682bcf 100644
+index ff006ea..90fa357 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -16980,7 +16981,32 @@ index ff006ea..b682bcf 100644
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1848,7 +1952,7 @@ interface(`files_boot_filetrans',`
+@@ -1678,6 +1782,24 @@ interface(`files_unmount_rootfs',`
+
+ ########################################
+ ## <summary>
++## Mount a filesystem on the root file system
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_mounton_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir { search_dir_perms mounton };
++')
++
++########################################
++## <summary>
+ ## Get attributes of the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -1848,7 +1970,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -16989,7 +17015,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -2372,6 +2476,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2494,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -17014,7 +17040,7 @@ index ff006ea..b682bcf 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2451,7 +2573,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2591,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17023,7 +17049,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -2507,6 +2629,25 @@ interface(`files_manage_etc_files',`
+@@ -2507,6 +2647,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -17049,7 +17075,7 @@ index ff006ea..b682bcf 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2525,6 +2666,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2684,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -17074,7 +17100,7 @@ index ff006ea..b682bcf 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2624,7 +2783,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2801,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -17083,7 +17109,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -2680,24 +2839,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2857,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -17108,7 +17134,7 @@ index ff006ea..b682bcf 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2738,6 +2879,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2897,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -17133,7 +17159,7 @@ index ff006ea..b682bcf 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2934,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2952,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -17141,7 +17167,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -2796,6 +2956,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -2796,6 +2974,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -17149,7 +17175,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -3364,7 +3525,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3543,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -17158,7 +17184,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -3502,20 +3663,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3681,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -17202,7 +17228,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -3804,7 +3983,7 @@ interface(`files_kernel_modules_filetrans',`
+@@ -3804,7 +4001,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
@@ -17211,7 +17237,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -3900,6 +4079,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4097,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -17311,7 +17337,7 @@ index ff006ea..b682bcf 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3945,7 +4217,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4235,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -17320,7 +17346,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -4017,7 +4289,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4307,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -17329,7 +17355,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -4029,6 +4301,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4319,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -17354,12 +17380,13 @@ index ff006ea..b682bcf 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4375,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,17 +4393,43 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
+-## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -17368,14 +17395,16 @@ index ff006ea..b682bcf 100644
+## This is added to support java policy.
+## </p>
+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
+interface(`files_execmod_tmp',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ attribute tmpfile;
+ ')
+
@@ -17384,26 +17413,34 @@ index ff006ea..b682bcf 100644
+
+########################################
+## <summary>
- ## Manage temporary files and directories in /tmp.
- ## </summary>
- ## <param name="domain">
-@@ -4139,7 +4455,7 @@ interface(`files_rw_generic_tmp_sockets',`
++## Manage temporary files and directories in /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_tmp_files',`
++ gen_require(`
++ type tmp_t;
+ ')
+
+ manage_files_pattern($1, tmp_t, tmp_t)
+@@ -4139,6 +4473,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
--## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4147,9 +4463,45 @@ interface(`files_rw_generic_tmp_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_all_tmp_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
++ gen_require(`
+ type tmp_t;
+ ')
+
@@ -17430,21 +17467,10 @@ index ff006ea..b682bcf 100644
+
+########################################
+## <summary>
-+## Set the attributes of all tmp directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_setattr_all_tmp_dirs',`
-+ gen_require(`
-+ attribute tmpfile;
- ')
-
- allow $1 tmpfile:dir { search_dir_perms setattr };
-@@ -4202,7 +4554,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4202,7 +4572,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -17453,7 +17479,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -4262,7 +4614,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4632,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17462,7 +17488,7 @@ index ff006ea..b682bcf 100644
## </summary>
## </param>
#
-@@ -4318,7 +4670,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4688,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -17471,7 +17497,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -4342,6 +4694,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4712,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -17488,7 +17514,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -4681,7 +5043,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5061,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -17497,7 +17523,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5084,7 +5446,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5464,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -17506,7 +17532,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5219,7 +5581,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5599,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -17515,7 +17541,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5304,6 +5666,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5684,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -17541,7 +17567,7 @@ index ff006ea..b682bcf 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5698,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5716,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -17550,7 +17576,7 @@ index ff006ea..b682bcf 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5719,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5737,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -17566,7 +17592,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5734,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5752,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -17599,7 +17625,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5373,6 +5776,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5794,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -17607,7 +17633,7 @@ index ff006ea..b682bcf 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5789,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5807,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -17615,7 +17641,7 @@ index ff006ea..b682bcf 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5815,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5833,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -17624,7 +17650,7 @@ index ff006ea..b682bcf 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5831,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5849,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -17641,7 +17667,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5452,7 +5855,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5873,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -17650,7 +17676,7 @@ index ff006ea..b682bcf 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5896,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5914,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -17659,7 +17685,7 @@ index ff006ea..b682bcf 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5918,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5936,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -17668,7 +17694,7 @@ index ff006ea..b682bcf 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5950,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5968,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -17679,7 +17705,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5608,6 +6011,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6029,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -17723,7 +17749,7 @@ index ff006ea..b682bcf 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,6 +6069,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6087,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -17749,7 +17775,7 @@ index ff006ea..b682bcf 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6195,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6213,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -17758,7 +17784,7 @@ index ff006ea..b682bcf 100644
')
########################################
-@@ -5815,29 +6274,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6292,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -17792,7 +17818,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5845,42 +6300,35 @@ interface(`files_read_all_pids',`
+@@ -5845,42 +6318,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -17842,7 +17868,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5888,20 +6336,17 @@ interface(`files_delete_all_pids',`
+@@ -5888,20 +6354,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -17866,7 +17892,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5909,56 +6354,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5909,56 +6372,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -17942,7 +17968,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5966,18 +6414,17 @@ interface(`files_list_spool',`
+@@ -5966,18 +6432,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -17965,7 +17991,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5985,19 +6432,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -5985,19 +6450,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -17990,7 +18016,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6005,50 +6451,61 @@ interface(`files_read_generic_spool',`
+@@ -6005,50 +6469,61 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -18071,7 +18097,7 @@ index ff006ea..b682bcf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6056,31 +6513,283 @@ interface(`files_spool_filetrans',`
+@@ -6056,16 +6531,268 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -18086,26 +18112,11 @@ index ff006ea..b682bcf 100644
- # Need to give access to /selinux/member
- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
+- # Need sys_admin capability for mounting
+########################################
+## <summary>
+## Make the specified type a file
@@ -18358,25 +18369,10 @@ index ff006ea..b682bcf 100644
+ selinux_compute_member($1)
+
+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
- allow $1 polydir: dir { write add_name open };
- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+ allow $1 self:capability { chown fsetid sys_admin fowner };
-@@ -6117,3 +6826,284 @@ interface(`files_unconfined',`
+ # Need to give access to the directories to be polyinstantiated
+@@ -6117,3 +6844,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -33177,7 +33173,7 @@ index 305ddf4..173cd16 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..825cafb 100644
+index 0f28095..4082621 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -33236,7 +33232,15 @@ index 0f28095..825cafb 100644
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-@@ -270,12 +275,6 @@ files_dontaudit_list_home(cupsd_t)
+@@ -220,6 +225,7 @@ corecmd_exec_bin(cupsd_t)
+
+ domain_use_interactive_fds(cupsd_t)
+
++files_getattr_boot_dirs(cupsd_t)
+ files_list_spool(cupsd_t)
+ files_read_etc_files(cupsd_t)
+ files_read_etc_runtime_files(cupsd_t)
+@@ -270,12 +276,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -33249,7 +33253,7 @@ index 0f28095..825cafb 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -297,8 +296,10 @@ optional_policy(`
+@@ -297,8 +297,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -33260,7 +33264,7 @@ index 0f28095..825cafb 100644
')
')
-@@ -311,10 +312,22 @@ optional_policy(`
+@@ -311,10 +313,22 @@ optional_policy(`
')
optional_policy(`
@@ -33283,7 +33287,7 @@ index 0f28095..825cafb 100644
mta_send_mail(cupsd_t)
')
-@@ -371,8 +384,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +385,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -33294,7 +33298,7 @@ index 0f28095..825cafb 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +407,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +408,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -33305,7 +33309,7 @@ index 0f28095..825cafb 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +443,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +444,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -33319,7 +33323,7 @@ index 0f28095..825cafb 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +471,10 @@ optional_policy(`
+@@ -453,6 +472,10 @@ optional_policy(`
')
optional_policy(`
@@ -33330,7 +33334,7 @@ index 0f28095..825cafb 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +489,10 @@ optional_policy(`
+@@ -467,6 +490,10 @@ optional_policy(`
')
optional_policy(`
@@ -33341,7 +33345,7 @@ index 0f28095..825cafb 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +613,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +614,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -33361,7 +33365,7 @@ index 0f28095..825cafb 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +636,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +637,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -33372,7 +33376,7 @@ index 0f28095..825cafb 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +674,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -33381,7 +33385,7 @@ index 0f28095..825cafb 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +719,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +720,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -33389,7 +33393,7 @@ index 0f28095..825cafb 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +732,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a727853..5eff3e4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 70%{?dist}
+Release: 71%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-71
+- New fix for seunshare, requires seunshare_domains to be able to mounton /
+
* Tue Jan 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-70
- Allow systemctl running as logrotate_t to connect to private systemd socket
- Allow tmpwatch to read meminfo
More information about the scm-commits
mailing list