[selinux-policy/f19] More fixes for freeipa-selinux
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jul 16 13:14:17 UTC 2013
commit cbee30b868f274b9ddd271f8bb7c25cd4346a64b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jul 16 15:13:46 2013 +0200
More fixes for freeipa-selinux
policy-rawhide-base.patch | 21 ++++++++++++++-------
policy-rawhide-contrib.patch | 28 +++++++++++++++++-----------
2 files changed, 31 insertions(+), 18 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 85db2a1..6debbcb 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -28454,29 +28454,33 @@ index dd3be8d..8cda2bb 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..93aad6f 100644
+index 662e79b..ef9370d 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,13 +1,17 @@
+@@ -1,14 +1,19 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+-/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
-+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
- /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/(strongswan)?/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/(strongswan)?/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+-/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
- /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/(strongswan)?/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,10 +30,12 @@
+
+@@ -26,12 +31,15 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -28488,8 +28492,11 @@ index 662e79b..93aad6f 100644
+/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+
+ /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
-@@ -39,3 +45,5 @@
+@@ -39,3 +47,5 @@
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a3352be..de0843d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -8988,7 +8988,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..1a30d34 100644
+index 7c92aa1..f177ca5 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,13 @@
@@ -9083,7 +9083,7 @@ index 7c92aa1..1a30d34 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +91,47 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +91,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -9116,6 +9116,7 @@ index 7c92aa1..1a30d34 100644
+# needs read /proc/interrupts
kernel_read_system_state(boinc_t)
++kernel_read_network_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
-corenet_all_recvfrom_unlabeled(boinc_t)
@@ -9179,7 +9180,7 @@ index 7c92aa1..1a30d34 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +140,65 @@ init_read_utmp(boinc_t)
+@@ -130,55 +141,65 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -25004,10 +25005,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..eaf0f2a
+index 0000000..6ceb963
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,158 @@
+@@ -0,0 +1,160 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -25136,6 +25137,8 @@ index 0000000..eaf0f2a
+
+fs_getattr_all_fs(glusterd_t)
+
++storage_rw_fuse(glusterd_t)
++
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
@@ -35974,15 +35977,16 @@ index e08c55d..9e634bd 100644
+
+')
diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..50f34fd 100644
+index 2de0f64..3c24286 100644
--- a/mandb.fc
+++ b/mandb.fc
-@@ -1 +1,9 @@
+@@ -1 +1,10 @@
/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
++/opt/local/share/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
+
@@ -53976,10 +53980,10 @@ index 0000000..726d992
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..051f952
+index 0000000..b975b85
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,293 @@
+@@ -0,0 +1,294 @@
+
+## <summary>policy for pki</summary>
+
@@ -54020,6 +54024,7 @@ index 0000000..051f952
+ ')
+
+ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++ read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
@@ -54275,10 +54280,10 @@ index 0000000..051f952
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..10eaddc
+index 0000000..17f5d18
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,283 @@
+@@ -0,0 +1,284 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -54367,6 +54372,7 @@ index 0000000..10eaddc
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
More information about the scm-commits
mailing list