[selinux-policy] +- Add labeling for udisks2 +- Allow fsadmin to communicate with the systemd process
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 23 21:35:59 UTC 2012
commit 75a7b93abc090d8c1d50fabda39bbea6987eb059
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Jan 23 22:35:48 2012 +0100
+- Add labeling for udisks2
+- Allow fsadmin to communicate with the systemd process
policy-F16.patch | 57 ++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 6 ++++-
2 files changed, 41 insertions(+), 22 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 918a032..d3646ba 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -28276,7 +28276,7 @@ index de0bd67..1df2048 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..6b577c2 100644
+index f4e7ad3..8ca4f90 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t)
@@ -28287,7 +28287,7 @@ index f4e7ad3..6b577c2 100644
+logging_log_file(bitlbee_log_t)
+
+type bitlbee_var_run_t;
-+files_type(bitlbee_var_run_t)
++files_pid_file(bitlbee_var_run_t)
+
########################################
#
@@ -35682,29 +35682,34 @@ index 8ba9425..555058a 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
-index 418a5a0..1041039 100644
+index 418a5a0..d13814e 100644
--- a/policy/modules/services/devicekit.fc
+++ b/policy/modules/services/devicekit.fc
-@@ -1,3 +1,7 @@
+@@ -1,3 +1,8 @@
+/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+
+/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-@@ -8,7 +12,12 @@
- /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
- /var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+@@ -6,9 +11,14 @@
+ /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+ /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+-/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++/var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++
+/var/log/pm-powersave\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
+/var/log/pm-suspend\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
-+
+
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+-/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+
- /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
index f706b99..d41e4fe 100644
@@ -71330,7 +71335,7 @@ index a97a096..368d3c2 100644
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index c28da1c..10bc43c 100644
+index c28da1c..1c68a7f 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t)
@@ -71368,7 +71373,7 @@ index c28da1c..10bc43c 100644
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
-@@ -133,10 +142,12 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,13 +142,16 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -71381,7 +71386,11 @@ index c28da1c..10bc43c 100644
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
-@@ -147,7 +158,7 @@ miscfiles_read_localization(fsadm_t)
++init_stream_connect(fsadm_t)
+
+ logging_send_syslog_msg(fsadm_t)
+
+@@ -147,7 +159,7 @@ miscfiles_read_localization(fsadm_t)
seutil_read_config(fsadm_t)
@@ -71390,7 +71399,7 @@ index c28da1c..10bc43c 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +177,11 @@ optional_policy(`
+@@ -166,6 +178,11 @@ optional_policy(`
')
optional_policy(`
@@ -71402,7 +71411,7 @@ index c28da1c..10bc43c 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -192,6 +208,10 @@ optional_policy(`
+@@ -192,6 +209,10 @@ optional_policy(`
')
optional_policy(`
@@ -77109,13 +77118,13 @@ index 4d06ae3..e81b7ac 100644
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
-index ed9c70d..480267e 100644
+index ed9c70d..c298507 100644
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
@@ -1,6 +1,14 @@
-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
-+/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
++/dev/md/.* -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -79439,10 +79448,10 @@ index 0000000..19ba4e1
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..115f05e
+index 0000000..6677509
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,393 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -79549,9 +79558,6 @@ index 0000000..115f05e
+
+authlogin_read_state(systemd_logind_t)
+
-+dbus_connect_system_bus(systemd_logind_t)
-+dbus_system_bus_client(systemd_logind_t)
-+
+init_dbus_chat(systemd_logind_t)
+init_dbus_chat_script(systemd_logind_t)
+init_read_script_state(systemd_logind_t)
@@ -79576,6 +79582,15 @@ index 0000000..115f05e
+')
+
+optional_policy(`
++ dbus_connect_system_bus(systemd_logind_t)
++ dbus_system_bus_client(systemd_logind_t)
++')
++
++optional_policy(`
++ devicekit_dbus_chat_power(systemd_logind_t)
++')
++
++optional_policy(`
+ # we label /run/user/$USER/dconf as config_home_t
+ gnome_manage_home_config_dirs(systemd_logind_t)
+ gnome_manage_home_config(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f4b498..2d06f64 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 77%{?dist}
+Release: 78%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-78
+- Add labeling for udisks2
+- Allow fsadmin to communicate with the systemd process
+
* Mon Jan 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-77
- Treat Bip with bitlbee policy
* Bip is an IRC proxy
More information about the scm-commits
mailing list