[selinux-policy/f19] - Allow samba-net to also read realmd tmp files - Allow NUT to use serial ports - realmd can be star
Miroslav Grepl
mgrepl at fedoraproject.org
Mon May 6 14:19:43 UTC 2013
commit e105ec171b7f2c3781542f2ee57bda9fef1d2d45
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon May 6 16:19:27 2013 +0200
- Allow samba-net to also read realmd tmp files
- Allow NUT to use serial ports
- realmd can be started by systemctl now
policy-rawhide-contrib.patch | 107 ++++++++++++++++++++++++++---------------
selinux-policy.spec | 7 ++-
2 files changed, 74 insertions(+), 40 deletions(-)
---
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 18b44ed..59d0278 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -46962,7 +46962,7 @@ index 57c0161..54bd4d7 100644
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
-index 0c9deb7..dbc52a1 100644
+index 0c9deb7..ea0ba5c 100644
--- a/nut.te
+++ b/nut.te
@@ -1,121 +1,108 @@
@@ -47163,7 +47163,13 @@ index 0c9deb7..dbc52a1 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -144,17 +144,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
+@@ -139,22 +139,34 @@ dev_read_urand(nut_upsdrvctl_t)
+ dev_rw_generic_usb_dev(nut_upsdrvctl_t)
+
+ term_use_unallocated_ttys(nut_upsdrvctl_t)
++term_use_usb_ttys(nut_upsdrvctl_t)
+
+ auth_use_nsswitch(nut_upsdrvctl_t)
init_sigchld(nut_upsdrvctl_t)
@@ -63874,7 +63880,7 @@ index 04babe3..3b92679 100644
+
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
diff --git a/realmd.if b/realmd.if
-index bff31df..3b5faf0 100644
+index bff31df..3b2a829 100644
--- a/realmd.if
+++ b/realmd.if
@@ -1,8 +1,9 @@
@@ -63889,7 +63895,7 @@ index bff31df..3b5faf0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -39,3 +40,80 @@ interface(`realmd_dbus_chat',`
+@@ -39,3 +40,101 @@ interface(`realmd_dbus_chat',`
allow $1 realmd_t:dbus send_msg;
allow realmd_t $1:dbus send_msg;
')
@@ -63970,8 +63976,29 @@ index bff31df..3b5faf0 100644
+ files_search_var($1)
+ manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
++
++
++########################################
++## <summary>
++## Read realmd tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`realmd_read_tmp_files',`
++ gen_require(`
++ type realmd_tmp_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, realmd_tmp_t, realmd_tmp_t)
++')
++
diff --git a/realmd.te b/realmd.te
-index 9a8f052..c558c79 100644
+index 9a8f052..3baa71a 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@@ -63980,11 +64007,12 @@ index 9a8f052..c558c79 100644
########################################
#
-@@ -7,47 +7,88 @@ policy_module(realmd, 1.0.2)
+@@ -7,47 +7,89 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
-init_system_domain(realmd_t, realmd_exec_t)
++init_daemon_domain(realmd_t, realmd_exec_t)
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
+
@@ -64081,7 +64109,7 @@ index 9a8f052..c558c79 100644
networkmanager_dbus_chat(realmd_t)
')
-@@ -63,21 +104,40 @@ optional_policy(`
+@@ -63,21 +105,40 @@ optional_policy(`
optional_policy(`
kerberos_use(realmd_t)
kerberos_rw_keytab(realmd_t)
@@ -64125,7 +64153,7 @@ index 9a8f052..c558c79 100644
')
optional_policy(`
-@@ -86,5 +146,27 @@ optional_policy(`
+@@ -86,5 +147,27 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
@@ -71385,7 +71413,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..7369a2c 100644
+index 57c034b..31e7d21 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -71656,11 +71684,12 @@ index 57c034b..7369a2c 100644
')
optional_policy(`
-@@ -245,38 +236,47 @@ optional_policy(`
+@@ -245,38 +236,48 @@ optional_policy(`
')
optional_policy(`
+ realmd_read_cache_files(samba_net_t)
++ realmd_read_tmp_files(samba_net_t)
+')
+
+optional_policy(`
@@ -71716,7 +71745,7 @@ index 57c034b..7369a2c 100644
manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
-@@ -292,6 +292,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -292,6 +293,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -71725,7 +71754,7 @@ index 57c034b..7369a2c 100644
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-@@ -301,11 +303,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+@@ -301,11 +304,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
@@ -71741,7 +71770,7 @@ index 57c034b..7369a2c 100644
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -315,43 +317,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -315,43 +318,33 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -71796,7 +71825,7 @@ index 57c034b..7369a2c 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +352,54 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +353,54 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -71862,7 +71891,7 @@ index 57c034b..7369a2c 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -413,20 +415,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +416,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -71885,7 +71914,7 @@ index 57c034b..7369a2c 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -435,6 +427,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +428,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -71893,7 +71922,7 @@ index 57c034b..7369a2c 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +435,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +436,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -71911,7 +71940,7 @@ index 57c034b..7369a2c 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -473,6 +455,11 @@ optional_policy(`
+@@ -473,6 +456,11 @@ optional_policy(`
')
optional_policy(`
@@ -71923,7 +71952,7 @@ index 57c034b..7369a2c 100644
lpd_exec_lpr(smbd_t)
')
-@@ -493,9 +480,33 @@ optional_policy(`
+@@ -493,9 +481,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -71958,7 +71987,7 @@ index 57c034b..7369a2c 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +517,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +518,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -71973,7 +72002,7 @@ index 57c034b..7369a2c 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +533,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +534,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -71997,7 +72026,7 @@ index 57c034b..7369a2c 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +550,40 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +551,40 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -72062,7 +72091,7 @@ index 57c034b..7369a2c 100644
')
optional_policy(`
-@@ -600,17 +596,24 @@ optional_policy(`
+@@ -600,17 +597,24 @@ optional_policy(`
########################################
#
@@ -72091,7 +72120,7 @@ index 57c034b..7369a2c 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -620,16 +623,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +624,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -72109,7 +72138,7 @@ index 57c034b..7369a2c 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +636,23 @@ optional_policy(`
+@@ -637,22 +637,23 @@ optional_policy(`
########################################
#
@@ -72141,7 +72170,7 @@ index 57c034b..7369a2c 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +661,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +662,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -72177,7 +72206,7 @@ index 57c034b..7369a2c 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +688,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +689,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -72269,7 +72298,7 @@ index 57c034b..7369a2c 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +767,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +768,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -72293,7 +72322,7 @@ index 57c034b..7369a2c 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +781,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +782,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -72336,7 +72365,7 @@ index 57c034b..7369a2c 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +811,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +812,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -72350,7 +72379,7 @@ index 57c034b..7369a2c 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -837,13 +838,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+@@ -837,13 +839,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
@@ -72370,7 +72399,7 @@ index 57c034b..7369a2c 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +856,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +857,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -72381,7 +72410,7 @@ index 57c034b..7369a2c 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +867,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +868,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -72411,7 +72440,7 @@ index 57c034b..7369a2c 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +890,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +891,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -72432,7 +72461,7 @@ index 57c034b..7369a2c 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +908,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +909,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -72443,7 +72472,7 @@ index 57c034b..7369a2c 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,18 +916,24 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,18 +917,24 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -72470,7 +72499,7 @@ index 57c034b..7369a2c 100644
optional_policy(`
ctdbd_stream_connect(winbind_t)
-@@ -936,7 +941,12 @@ optional_policy(`
+@@ -936,7 +942,12 @@ optional_policy(`
')
optional_policy(`
@@ -72483,7 +72512,7 @@ index 57c034b..7369a2c 100644
')
optional_policy(`
-@@ -952,31 +962,29 @@ optional_policy(`
+@@ -952,31 +963,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -72521,7 +72550,7 @@ index 57c034b..7369a2c 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +998,38 @@ optional_policy(`
+@@ -990,25 +999,38 @@ optional_policy(`
########################################
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 65a4025..24f2db5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 41%{?dist}
+Release: 42%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon May 6 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-42
+- Allow samba-net to also read realmd tmp files
+- Allow NUT to use serial ports
+- realmd can be started by systemctl now
+
* Mon May 6 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-41
- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly
- Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t
More information about the scm-commits
mailing list