[selinux-policy/f18] Adopt pki-selinux -policy
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 23 15:49:00 UTC 2012
commit c4ea0499cb2084eff710a075a6ba2114216612b1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 23 17:48:49 2012 +0200
Adopt pki-selinux -policy
policy_contrib-rawhide.patch | 85 ++++++++++++++++++++++++++++++------------
1 files changed, 61 insertions(+), 24 deletions(-)
---
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 4f753b3..854e721 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -4965,7 +4965,7 @@ index d80a16b..ef740ef 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 39799db..07d242d 100644
+index 39799db..6264256 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -4978,7 +4978,13 @@ index 39799db..07d242d 100644
########################################
#
# Local policy
-@@ -61,9 +64,11 @@ kernel_read_fs_sysctls(automount_t)
+@@ -56,14 +59,17 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+ files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
+
+ kernel_read_kernel_sysctls(automount_t)
++kernel_read_vm_sysctls(automount_t)
+ kernel_read_irq_sysctls(automount_t)
+ kernel_read_fs_sysctls(automount_t)
kernel_read_proc_symlinks(automount_t)
kernel_read_system_state(automount_t)
kernel_read_network_state(automount_t)
@@ -4990,7 +4996,7 @@ index 39799db..07d242d 100644
files_search_boot(automount_t)
# Automount is slowly adding all mount functionality internally
files_search_all(automount_t)
-@@ -79,7 +84,6 @@ fs_search_all(automount_t)
+@@ -79,7 +85,6 @@ fs_search_all(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
@@ -4998,7 +5004,7 @@ index 39799db..07d242d 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -113,7 +117,6 @@ files_dontaudit_write_var_dirs(automount_t)
+@@ -113,7 +118,6 @@ files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
files_list_mnt(automount_t)
files_getattr_home_dir(automount_t)
@@ -5006,7 +5012,7 @@ index 39799db..07d242d 100644
files_read_etc_runtime_files(automount_t)
# for if the mount point is not labelled
files_getattr_isid_type_dirs(automount_t)
-@@ -140,13 +143,8 @@ auth_use_nsswitch(automount_t)
+@@ -140,13 +144,8 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -5020,7 +5026,7 @@ index 39799db..07d242d 100644
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,6 +153,13 @@ optional_policy(`
+@@ -155,6 +154,13 @@ optional_policy(`
')
optional_policy(`
@@ -14221,7 +14227,7 @@ index 305ddf4..f3cd95f 100644
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
')
diff --git a/cups.te b/cups.te
-index e5a8924..c5c823c 100644
+index e5a8924..cd3c7de 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -14545,7 +14551,18 @@ index e5a8924..c5c823c 100644
')
########################################
-@@ -635,9 +658,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+@@ -613,6 +636,10 @@ tunable_policy(`use_samba_home_dirs',`
+
+ # Needed for USB Scanneer and xsane
+ allow hplip_t self:capability { dac_override dac_read_search net_raw };
++#sched_setscheduler
++allow hplip_t self:capability sys_nice;
++allow hplip_t self:process setsched;
++
+ dontaudit hplip_t self:capability sys_tty_config;
+ allow hplip_t self:fifo_file rw_fifo_file_perms;
+ allow hplip_t self:process signal_perms;
+@@ -635,9 +662,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -14562,7 +14579,7 @@ index e5a8924..c5c823c 100644
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -647,7 +677,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,7 +681,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -14573,7 +14590,7 @@ index e5a8924..c5c823c 100644
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +697,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -14587,7 +14604,7 @@ index e5a8924..c5c823c 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -673,31 +705,34 @@ dev_read_rand(hplip_t)
+@@ -673,31 +709,34 @@ dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_rw_usbfs(hplip_t)
@@ -14609,10 +14626,10 @@ index e5a8924..c5c823c 100644
+fs_getattr_all_fs(hplip_t)
+fs_search_auto_mountpoints(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
-+
-+term_use_ptmx(hplip_t)
-miscfiles_read_localization(hplip_t)
++term_use_ptmx(hplip_t)
++
+auth_read_passwd(hplip_t)
+
+logging_send_syslog_msg(hplip_t)
@@ -14633,7 +14650,7 @@ index e5a8924..c5c823c 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -743,7 +778,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +782,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -14641,7 +14658,7 @@ index e5a8924..c5c823c 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +794,10 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,13 +798,10 @@ fs_search_auto_mountpoints(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -30733,7 +30750,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..9279c2d 100644
+index 75ce30f..12abef6 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@@ -30744,7 +30761,7 @@ index 75ce30f..9279c2d 100644
application_domain(logwatch_t, logwatch_exec_t)
role system_r types logwatch_t;
-@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t)
+@@ -19,13 +20,19 @@ files_lock_file(logwatch_lock_t)
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -30757,6 +30774,15 @@ index 75ce30f..9279c2d 100644
########################################
#
# Local policy
+ #
+
+-allow logwatch_t self:capability { dac_override dac_read_search setgid };
+-allow logwatch_t self:process signal;
++allow logwatch_t self:capability { dac_override dac_read_search setgid sys_nice };
++allow logwatch_t self:process { signal setsched };
+ allow logwatch_t self:fifo_file rw_file_perms;
+ allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
@@ -42606,7 +42632,7 @@ index ceafba6..47b690d 100644
+ udev_read_db(pcscd_t)
+')
diff --git a/pegasus.te b/pegasus.te
-index 3185114..4daaf7e 100644
+index 3185114..2a4e326 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -9,6 +9,9 @@ type pegasus_t;
@@ -42699,10 +42725,14 @@ index 3185114..4daaf7e 100644
sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
-@@ -121,12 +130,31 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -121,12 +130,39 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
++ corosync_stream_connect(pegasus_t)
++')
++
++optional_policy(`
+ hostname_exec(pegasus_t)
+')
+
@@ -42711,6 +42741,10 @@ index 3185114..4daaf7e 100644
+')
+
+optional_policy(`
++ ricci_stream_connect_modclusterd(pegasus_t)
++')
++
++optional_policy(`
rpm_exec(pegasus_t)
')
@@ -42732,7 +42766,7 @@ index 3185114..4daaf7e 100644
')
optional_policy(`
-@@ -136,3 +164,14 @@ optional_policy(`
+@@ -136,3 +172,14 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
@@ -43905,10 +43939,10 @@ index 0000000..24087ed
+/usr/lib/systemd/system/pki-tomcat.* -- gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..7104911
+index 0000000..83c13cf
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,248 @@
+
+## <summary>policy for pki</summary>
+########################################
@@ -43924,8 +43958,10 @@ index 0000000..7104911
+interface(`pki_rw_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
++ type pki_tomcat_etc_rw_t;
+ ')
+
++ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
@@ -44157,10 +44193,10 @@ index 0000000..7104911
+
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..e15f399
+index 0000000..5e5f291
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,288 @@
+@@ -0,0 +1,289 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -44259,6 +44295,7 @@ index 0000000..e15f399
+read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
+allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
+allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
++systemd_search_unit_dirs(pki_tomcat_t)
+
+# allow java subsystems to talk to the ncipher hsm
+allow pki_tomcat_t pki_common_dev_t:sock_file write;
More information about the scm-commits
mailing list