[refpolicy] [PATCH] fedora14

Paul Nuzzi pjnuzzi at tycho.ncsc.mil
Fri Dec 10 17:22:35 CST 2010


A few patches to get refpolicy working on Fedora 14.  You can pick and chose which ones are worth
upstreaming.  upstart is probably the most important.

Signed-off-by: Paul Nuzzi <pjnuzzi at tycho.ncsc.mil>

---

 policy/modules/roles/sysadm.te     |    5 ++++-
 policy/modules/services/ssh.te     |    1 +
 policy/modules/system/authlogin.te |    1 +
 policy/modules/system/init.fc      |    1 +
 policy/modules/system/ipsec.te     |    4 ++++
 policy/modules/system/mount.te     |    1 +
 6 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index d5e88be..6b5949e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,7 +24,7 @@ ifndef(`enable_mls',`
 #
 # Local policy
 #
-
+allow sysadm_t self:key_socket { read write };
 corecmd_exec_shell(sysadm_t)
 
 mls_process_read_up(sysadm_t)
@@ -34,6 +34,9 @@ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
+init_stream_connect(sysadm_t)
+
+logging_send_audit_msgs(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..12e6d69 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -238,6 +238,7 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
 
+kernel_read_crypto_sysctls(sshd_t)
 kernel_search_key(sshd_t)
 kernel_link_key(sshd_t)
 
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 54d122b..25bfbd4 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -90,6 +90,7 @@ files_list_etc(chkpwd_t)
 
 # is_selinux_enabled
 kernel_read_system_state(chkpwd_t)
+kernel_read_crypto_sysctls(chkpwd_t)
 
 domain_dontaudit_use_interactive_fds(chkpwd_t)
 
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 9775375..a8f7989 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -25,6 +25,7 @@ ifdef(`distro_gentoo',`
 # /sbin
 #
 /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
 /sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 44c32d5..0c8e6ac 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -161,6 +161,8 @@ auth_use_nsswitch(ipsec_t)
 init_use_fds(ipsec_t)
 init_use_script_ptys(ipsec_t)
 
+kernel_read_crypto_sysctls(ipsec_t)
+
 logging_send_syslog_msg(ipsec_t)
 
 miscfiles_read_localization(ipsec_t)
@@ -376,6 +378,8 @@ auth_use_nsswitch(racoon_t)
 
 ipsec_setcontext_default_spd(racoon_t)
 
+kernel_read_crypto_sysctls(racoon_t)
+
 locallogin_use_fds(racoon_t)
 
 logging_send_syslog_msg(racoon_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fca6947..93818b1 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -52,6 +52,7 @@ kernel_dontaudit_getattr_core_if(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
+corecmd_exec_shell(mount_t)
 
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)




More information about the refpolicy mailing list