[selinux-policy/f16] Add mysql_read_home_content() interface
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 21 08:08:16 UTC 2012
commit fcc81154d5a8ed088b57161a64ce81728ae77e74
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Mar 21 09:08:03 2012 +0100
Add mysql_read_home_content() interface
policy-F16.patch | 43 ++++++++++++++++++++++++++++++++-----------
1 files changed, 32 insertions(+), 11 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index b091186..de11716 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -46393,10 +46393,10 @@ index cc7192c..eeb72ba 100644
#
/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..14d2939 100644
+index e9c0982..b3b1d5a 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
-@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
+@@ -18,6 +18,43 @@ interface(`mysql_domtrans',`
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
')
@@ -46418,10 +46418,29 @@ index e9c0982..14d2939 100644
+ can_exec($1, mysqld_exec_t)
+')
+
++#######################################
++## <summary>
++## read mysqld homedir content (.k5login)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_read_home_content',`
++ gen_require(`
++ type mysqld_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, mysqld_home_t, mysqld_home_t)
++')
++
########################################
## <summary>
## Send a generic signal to MySQL.
-@@ -36,6 +54,24 @@ interface(`mysql_signal',`
+@@ -36,6 +73,24 @@ interface(`mysql_signal',`
allow $1 mysqld_t:process signal;
')
@@ -46446,7 +46465,7 @@ index e9c0982..14d2939 100644
########################################
## <summary>
## Allow the specified domain to connect to postgresql with a tcp socket.
-@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',`
+@@ -73,6 +128,7 @@ interface(`mysql_stream_connect',`
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
')
@@ -46454,7 +46473,7 @@ index e9c0982..14d2939 100644
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
-@@ -252,12 +289,12 @@ interface(`mysql_write_log',`
+@@ -252,12 +308,12 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
@@ -46469,7 +46488,7 @@ index e9c0982..14d2939 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -273,6 +310,24 @@ interface(`mysql_domtrans_mysql_safe',`
+@@ -273,6 +329,24 @@ interface(`mysql_domtrans_mysql_safe',`
domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')
@@ -46494,7 +46513,7 @@ index e9c0982..14d2939 100644
#####################################
## <summary>
## Read MySQL PID files.
-@@ -313,6 +368,48 @@ interface(`mysql_search_pid_files',`
+@@ -313,6 +387,48 @@ interface(`mysql_search_pid_files',`
########################################
## <summary>
@@ -46543,7 +46562,7 @@ index e9c0982..14d2939 100644
## All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
-@@ -329,10 +426,10 @@ interface(`mysql_search_pid_files',`
+@@ -329,10 +445,10 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@@ -46558,7 +46577,7 @@ index e9c0982..14d2939 100644
')
allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +440,25 @@ interface(`mysql_admin',`
+@@ -343,13 +459,25 @@ interface(`mysql_admin',`
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -65059,7 +65078,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..69aedbf 100644
+index 130ced9..5ab4df5 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -65786,7 +65805,7 @@ index 130ced9..69aedbf 100644
')
########################################
-@@ -1243,10 +1518,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1518,460 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -66208,6 +66227,8 @@ index 130ced9..69aedbf 100644
+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
More information about the scm-commits
mailing list