[selinux-policy] +- Add labeling for udisks2 +- Allow fsadmin to communicate with the systemd process

Miroslav Grepl mgrepl at fedoraproject.org
Mon Jan 23 21:35:59 UTC 2012 

commit 75a7b93abc090d8c1d50fabda39bbea6987eb059
Author: Miroslav <mgrepl at redhat.com>
Date:   Mon Jan 23 22:35:48 2012 +0100

    +- Add labeling for udisks2
    +- Allow fsadmin to communicate with the systemd process

 policy-F16.patch    |   57 ++++++++++++++++++++++++++++++++------------------
 selinux-policy.spec |    6 ++++-
 2 files changed, 41 insertions(+), 22 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 918a032..d3646ba 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -28276,7 +28276,7 @@ index de0bd67..1df2048 100644
  	domain_system_change_exemption($1)
  	role_transition $2 bitlbee_initrc_exec_t system_r;
 diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..6b577c2 100644
+index f4e7ad3..8ca4f90 100644
 --- a/policy/modules/services/bitlbee.te
 +++ b/policy/modules/services/bitlbee.te
 @@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t)
@@ -28287,7 +28287,7 @@ index f4e7ad3..6b577c2 100644
 +logging_log_file(bitlbee_log_t)
 +
 +type bitlbee_var_run_t;
-+files_type(bitlbee_var_run_t)
++files_pid_file(bitlbee_var_run_t)
 +
  ########################################
  #
@@ -35682,29 +35682,34 @@ index 8ba9425..555058a 100644
 +	gnome_dontaudit_search_config(denyhosts_t)
 +')
 diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
-index 418a5a0..1041039 100644
+index 418a5a0..d13814e 100644
 --- a/policy/modules/services/devicekit.fc
 +++ b/policy/modules/services/devicekit.fc
-@@ -1,3 +1,7 @@
+@@ -1,3 +1,8 @@
 +/lib/udev/udisks-part-id	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++/lib/udisks2/udisksd		--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 +
 +/usr/lib/udev/udisks-part-id	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 +
  /usr/libexec/devkit-daemon	--	gen_context(system_u:object_r:devicekit_exec_t,s0)
  /usr/libexec/devkit-disks-daemon --	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
  /usr/libexec/devkit-power-daemon --	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-@@ -8,7 +12,12 @@
- /var/lib/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
- /var/lib/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+@@ -6,9 +11,14 @@
  
+ /var/lib/DeviceKit-.*			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+ /var/lib/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+-/var/lib/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++/var/lib/udisks.*			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++
 +/var/log/pm-powersave\.log	--	gen_context(system_u:object_r:devicekit_var_log_t,s0)
 +/var/log/pm-suspend\.log	--	gen_context(system_u:object_r:devicekit_var_log_t,s0)
-+
+ 
  /var/run/devkit(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
  /var/run/DeviceKit-disks(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
+-/var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 +/var/run/pm-utils(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 +
- /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
++/var/run/udisks.*			gen_context(system_u:object_r:devicekit_var_run_t,s0)
  /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
 index f706b99..d41e4fe 100644
@@ -71330,7 +71335,7 @@ index a97a096..368d3c2 100644
  
  /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index c28da1c..10bc43c 100644
+index c28da1c..1c68a7f 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
 @@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t)
@@ -71368,7 +71373,7 @@ index c28da1c..10bc43c 100644
  mls_file_read_all_levels(fsadm_t)
  mls_file_write_all_levels(fsadm_t)
  
-@@ -133,10 +142,12 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,13 +142,16 @@ storage_raw_write_fixed_disk(fsadm_t)
  storage_raw_read_removable_device(fsadm_t)
  storage_raw_write_removable_device(fsadm_t)
  storage_read_scsi_generic(fsadm_t)
@@ -71381,7 +71386,11 @@ index c28da1c..10bc43c 100644
  init_use_fds(fsadm_t)
  init_use_script_ptys(fsadm_t)
  init_dontaudit_getattr_initctl(fsadm_t)
-@@ -147,7 +158,7 @@ miscfiles_read_localization(fsadm_t)
++init_stream_connect(fsadm_t)
+ 
+ logging_send_syslog_msg(fsadm_t)
+ 
+@@ -147,7 +159,7 @@ miscfiles_read_localization(fsadm_t)
  
  seutil_read_config(fsadm_t)
  
@@ -71390,7 +71399,7 @@ index c28da1c..10bc43c 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -166,6 +177,11 @@ optional_policy(`
+@@ -166,6 +178,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71402,7 +71411,7 @@ index c28da1c..10bc43c 100644
  	hal_dontaudit_write_log(fsadm_t)
  ')
  
-@@ -192,6 +208,10 @@ optional_policy(`
+@@ -192,6 +209,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -77109,13 +77118,13 @@ index 4d06ae3..e81b7ac 100644
  	seutil_sigchld_newrole(cardmgr_t)
  ')
 diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
-index ed9c70d..480267e 100644
+index ed9c70d..c298507 100644
 --- a/policy/modules/system/raid.fc
 +++ b/policy/modules/system/raid.fc
 @@ -1,6 +1,14 @@
 -/dev/.mdadm.map		--	gen_context(system_u:object_r:mdadm_map_t,s0)
 +/dev/.mdadm\.map	--	gen_context(system_u:object_r:mdadm_var_run_t,s0)
-+/dev/md(/.*)?			gen_context(system_u:object_r:mdadm_var_run_t,s0)
++/dev/md/.*		--	gen_context(system_u:object_r:mdadm_var_run_t,s0)
  
  /sbin/mdadm		--	gen_context(system_u:object_r:mdadm_exec_t,s0)
  /sbin/mdmpd		--	gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -79439,10 +79448,10 @@ index 0000000..19ba4e1
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..115f05e
+index 0000000..6677509
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,393 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -79549,9 +79558,6 @@ index 0000000..115f05e
 +
 +authlogin_read_state(systemd_logind_t)
 +
-+dbus_connect_system_bus(systemd_logind_t)
-+dbus_system_bus_client(systemd_logind_t)
-+
 +init_dbus_chat(systemd_logind_t)
 +init_dbus_chat_script(systemd_logind_t)
 +init_read_script_state(systemd_logind_t)
@@ -79576,6 +79582,15 @@ index 0000000..115f05e
 +')
 +
 +optional_policy(`
++	dbus_connect_system_bus(systemd_logind_t)
++	dbus_system_bus_client(systemd_logind_t)
++')
++
++optional_policy(`
++	devicekit_dbus_chat_power(systemd_logind_t)
++')
++
++optional_policy(`
 +	# we label /run/user/$USER/dconf as config_home_t
 +	gnome_manage_home_config_dirs(systemd_logind_t)
 +	gnome_manage_home_config(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f4b498..2d06f64 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 77%{?dist}
+Release: 78%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Jan 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-78
+- Add labeling for udisks2
+- Allow fsadmin to communicate with the systemd process
+
 * Mon Jan 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-77
 - Treat Bip with bitlbee policy
       * Bip is an IRC proxy

More information about the scm-commits mailing list