[selinux-policy/f16] Add mysql_read_home_content() interface

Miroslav Grepl mgrepl at fedoraproject.org
Wed Mar 21 08:08:16 UTC 2012 

commit fcc81154d5a8ed088b57161a64ce81728ae77e74
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Wed Mar 21 09:08:03 2012 +0100

    Add mysql_read_home_content() interface

 policy-F16.patch |   43 ++++++++++++++++++++++++++++++++-----------
 1 files changed, 32 insertions(+), 11 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index b091186..de11716 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -46393,10 +46393,10 @@ index cc7192c..eeb72ba 100644
  #
  /etc/my\.cnf		--	gen_context(system_u:object_r:mysqld_etc_t,s0)
 diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..14d2939 100644
+index e9c0982..b3b1d5a 100644
 --- a/policy/modules/services/mysql.if
 +++ b/policy/modules/services/mysql.if
-@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
+@@ -18,6 +18,43 @@ interface(`mysql_domtrans',`
  	domtrans_pattern($1, mysqld_exec_t, mysqld_t)
  ')
  
@@ -46418,10 +46418,29 @@ index e9c0982..14d2939 100644
 +	can_exec($1, mysqld_exec_t)
 +')
 +
++#######################################
++## <summary>
++##  read mysqld homedir content (.k5login)
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`mysql_read_home_content',`
++    gen_require(`
++        type mysqld_home_t;
++    ')
++
++    userdom_search_user_home_dirs($1)
++    read_files_pattern($1, mysqld_home_t, mysqld_home_t)
++')
++
  ########################################
  ## <summary>
  ##	Send a generic signal to MySQL.
-@@ -36,6 +54,24 @@ interface(`mysql_signal',`
+@@ -36,6 +73,24 @@ interface(`mysql_signal',`
  	allow $1 mysqld_t:process signal;
  ')
  
@@ -46446,7 +46465,7 @@ index e9c0982..14d2939 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to postgresql with a tcp socket.
-@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',`
+@@ -73,6 +128,7 @@ interface(`mysql_stream_connect',`
  		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
  	')
  
@@ -46454,7 +46473,7 @@ index e9c0982..14d2939 100644
  	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
  	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
  ')
-@@ -252,12 +289,12 @@ interface(`mysql_write_log',`
+@@ -252,12 +308,12 @@ interface(`mysql_write_log',`
  	')
  
  	logging_search_logs($1)
@@ -46469,7 +46488,7 @@ index e9c0982..14d2939 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -273,6 +310,24 @@ interface(`mysql_domtrans_mysql_safe',`
+@@ -273,6 +329,24 @@ interface(`mysql_domtrans_mysql_safe',`
  	domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
  ')
  
@@ -46494,7 +46513,7 @@ index e9c0982..14d2939 100644
  #####################################
  ## <summary>
  ##	Read MySQL PID files.
-@@ -313,6 +368,48 @@ interface(`mysql_search_pid_files',`
+@@ -313,6 +387,48 @@ interface(`mysql_search_pid_files',`
  
  ########################################
  ## <summary>
@@ -46543,7 +46562,7 @@ index e9c0982..14d2939 100644
  ##	All of the rules required to administrate an mysql environment
  ## </summary>
  ## <param name="domain">
-@@ -329,10 +426,10 @@ interface(`mysql_search_pid_files',`
+@@ -329,10 +445,10 @@ interface(`mysql_search_pid_files',`
  #
  interface(`mysql_admin',`
  	gen_require(`
@@ -46558,7 +46577,7 @@ index e9c0982..14d2939 100644
  	')
  
  	allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +440,25 @@ interface(`mysql_admin',`
+@@ -343,13 +459,25 @@ interface(`mysql_admin',`
  	role_transition $2 mysqld_initrc_exec_t system_r;
  	allow $2 system_r;
  
@@ -65059,7 +65078,7 @@ index 4966c94..cb2e1a3 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..69aedbf 100644
+index 130ced9..5ab4df5 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -65786,7 +65805,7 @@ index 130ced9..69aedbf 100644
  ')
  
  ########################################
-@@ -1243,10 +1518,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1518,460 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -66208,6 +66227,8 @@ index 130ced9..69aedbf 100644
 +	userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
 +	userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
++	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
++    userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
 +	userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")

More information about the scm-commits mailing list