[selinux-policy] Fix ipa.if
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 26 10:14:25 UTC 2014
commit 83715e6621b6012dd71599741604f93dc2130caf
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Mar 26 11:14:21 2014 +0100
Fix ipa.if
policy-rawhide-base.patch | 45 ++++++++++++++++++++++++++++++++++++++++-
policy-rawhide-contrib.patch | 44 ++++++++++++++++++++++++++++------------
2 files changed, 74 insertions(+), 15 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a373432..f15a12c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -16881,7 +16881,7 @@ index 54f1827..39faa3f 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 64c4cd0..69be610 100644
+index 64c4cd0..b9d9660 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -17010,7 +17010,7 @@ index 64c4cd0..69be610 100644
########################################
## <summary>
## Allow the caller to directly read
-@@ -813,3 +897,411 @@ interface(`storage_unconfined',`
+@@ -813,3 +897,452 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -17355,6 +17355,47 @@ index 64c4cd0..69be610 100644
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
+ dev_filetrans($1, removable_device_t, blk_file, "sr0")
+ dev_filetrans($1, removable_device_t, blk_file, "sr1")
+ dev_filetrans($1, removable_device_t, blk_file, "sr2")
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 54cdf61..c33f667 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -28811,7 +28811,7 @@ index e39de43..6a6db28 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..d0bfef0 100644
+index ab09d61..8bcb6ba 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,78 @@
@@ -29858,7 +29858,7 @@ index ab09d61..d0bfef0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -706,12 +820,931 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +820,948 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -30251,6 +30251,23 @@ index ab09d61..d0bfef0 100644
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
++#######################################
++## <summary>
++## append gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_append_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ append_files_pattern($1, config_home_t, config_home_t)
++')
+
+#######################################
+## <summary>
@@ -33328,10 +33345,10 @@ index 0000000..48d7322
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..4095bed
+index 0000000..d028154
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,57 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@@ -33389,7 +33406,6 @@ index 0000000..4095bed
+ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
-+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..b60bc5f
@@ -73656,10 +73672,10 @@ index 0000000..a073efd
+')
diff --git a/rasdaemon.te b/rasdaemon.te
new file mode 100644
-index 0000000..7b1fa9e
+index 0000000..6731d5c
--- /dev/null
+++ b/rasdaemon.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,46 @@
+policy_module(rasdaemon, 1.0.0)
+
+########################################
@@ -73691,16 +73707,17 @@ index 0000000..7b1fa9e
+kernel_read_system_state(rasdaemon_t)
+kernel_manage_debugfs(rasdaemon_t)
+
-+auth_use_nsswitch(rasdaemon_t)
-+
+dev_read_raw_memory(rasdaemon_t)
+dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
-+
-+logging_send_syslog_msg(rasdaemon_t)
++dev_rw_cpu_microcode(rasdaemon_t)
+
+modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
+
++auth_use_nsswitch(rasdaemon_t)
++
++logging_send_syslog_msg(rasdaemon_t)
++
+optional_policy(`
+ dmidecode_exec(rasdaemon_t)
+')
@@ -95084,10 +95101,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..bb3e477
+index 0000000..0e30ce2
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,156 @@
+@@ -0,0 +1,157 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -95217,6 +95234,7 @@ index 0000000..bb3e477
+ # .config
+ gnome_dontaudit_search_config(thumb_t)
+ gnome_dontaudit_write_config_files(thumb_t)
++ gnome_append_home_config(thumb_t)
+ gnome_append_generic_cache_files(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_dontaudit_rw_generic_cache_files(thumb_t)
More information about the scm-commits
mailing list