* [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts
@ 2012-12-05 22:03 Laurent Bigonville
2012-12-05 22:03 ` [refpolicy] [PATCH 2/9] rpcbind.te: Add named file transition for pidfile created by initscript Laurent Bigonville
` (8 more replies)
0 siblings, 9 replies; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:03 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
In Debian, /var/run is a tmpfs, this means that the initscripts must
recreate the needed directories during boot and they must be able to
transition to the correct context.
---
cups.te | 1 +
nut.te | 1 +
pcscd.te | 1 +
rpcbind.te | 1 +
xen.te | 1 +
5 files changed, 5 insertions(+)
diff --git a/cups.te b/cups.te
index 069141c..c1d5b4b 100644
--- a/cups.te
+++ b/cups.te
@@ -59,6 +59,7 @@ files_tmp_file(cupsd_tmp_t)
type cupsd_var_run_t;
files_pid_file(cupsd_var_run_t)
+init_daemon_run_dir(cupsd_var_run_t, "cups")
mls_trusted_object(cupsd_var_run_t)
type hplip_t;
diff --git a/nut.te b/nut.te
index 81ee2c6..e525457 100644
--- a/nut.te
+++ b/nut.te
@@ -27,6 +27,7 @@ init_script_file(nut_initrc_exec_t)
type nut_var_run_t;
files_pid_file(nut_var_run_t)
+init_daemon_run_dir(nut_var_run_t, "nut")
########################################
#
diff --git a/pcscd.te b/pcscd.te
index 802728d..4c85dd5 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -14,6 +14,7 @@ init_script_file(pcscd_initrc_exec_t)
type pcscd_var_run_t;
files_pid_file(pcscd_var_run_t)
+init_daemon_run_dir(pcscd_var_run_t, "pcscd")
########################################
#
diff --git a/rpcbind.te b/rpcbind.te
index 8337482..b00c730 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -14,6 +14,7 @@ init_script_file(rpcbind_initrc_exec_t)
type rpcbind_var_run_t;
files_pid_file(rpcbind_var_run_t)
+init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
type rpcbind_var_lib_t;
files_type(rpcbind_var_lib_t)
diff --git a/xen.te b/xen.te
index 1c9a2f0..0ad5e4d 100644
--- a/xen.te
+++ b/xen.te
@@ -105,6 +105,7 @@ logging_log_file(xenstored_var_log_t)
type xenstored_var_run_t;
files_pid_file(xenstored_var_run_t)
+init_daemon_run_dir(xenstored_var_run_t, "xenstored")
type xenconsoled_t;
type xenconsoled_exec_t;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 2/9] rpcbind.te: Add named file transition for pidfile created by initscript
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
@ 2012-12-05 22:03 ` Laurent Bigonville
2012-12-05 22:03 ` [refpolicy] [PATCH 3/9] Run packagekit under apt_t context on Debian distribution Laurent Bigonville
` (7 subsequent siblings)
8 siblings, 0 replies; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:03 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
rpcbind.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/rpcbind.te b/rpcbind.te
index b00c730..56145c9 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -15,6 +15,7 @@ init_script_file(rpcbind_initrc_exec_t)
type rpcbind_var_run_t;
files_pid_file(rpcbind_var_run_t)
init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
+init_daemon_run_file(rpcbind_var_run_t, "rpcbind.pid")
type rpcbind_var_lib_t;
files_type(rpcbind_var_lib_t)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 3/9] Run packagekit under apt_t context on Debian distribution
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
2012-12-05 22:03 ` [refpolicy] [PATCH 2/9] rpcbind.te: Add named file transition for pidfile created by initscript Laurent Bigonville
@ 2012-12-05 22:03 ` Laurent Bigonville
2012-12-06 15:40 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 4/9] Add proper label for colord daemon in debian Laurent Bigonville
` (6 subsequent siblings)
8 siblings, 1 reply; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:03 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Properly label the daemon and the needed files and directories
Also allow the daemon to transition to its own context when started by
the system dbus
---
apt.fc | 3 +++
apt.te | 4 ++++
rpm.fc | 4 ++--
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/apt.fc b/apt.fc
index 93d315c..1fd6888 100644
--- a/apt.fc
+++ b/apt.fc
@@ -2,7 +2,10 @@ ifndef(`distro_redhat',`
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
')
/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
diff --git a/apt.te b/apt.te
index 5ffc8b8..aaa43cc 100644
--- a/apt.te
+++ b/apt.te
@@ -125,6 +125,10 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_domain(apt_t, apt_exec_t)
+')
+
+optional_policy(`
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
dpkg_lock_db(apt_t)
diff --git a/rpm.fc b/rpm.fc
index e37a2d5..ebe91fc 100644
--- a/rpm.fc
+++ b/rpm.fc
@@ -31,17 +31,17 @@ ifdef(`distro_redhat',`
/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
')
/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 4/9] Add proper label for colord daemon in debian
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
2012-12-05 22:03 ` [refpolicy] [PATCH 2/9] rpcbind.te: Add named file transition for pidfile created by initscript Laurent Bigonville
2012-12-05 22:03 ` [refpolicy] [PATCH 3/9] Run packagekit under apt_t context on Debian distribution Laurent Bigonville
@ 2012-12-05 22:03 ` Laurent Bigonville
2012-12-05 23:09 ` [refpolicy] [PATCH 4/9 v2] " Laurent Bigonville
2012-12-05 22:03 ` [refpolicy] [PATCH 5/9] Allow the system dbus to search cgroup directories Laurent Bigonville
` (5 subsequent siblings)
8 siblings, 1 reply; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:03 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Colord daemons in debian are installed in /usr/lib/<triplet>/colord/
---
colord.fc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/colord.fc b/colord.fc
index 534db54..c185ca9 100644
--- a/colord.fc
+++ b/colord.fc
@@ -1,3 +1,6 @@
+/usr/lib/.*\-.*\-.*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/.*\-.*\-.*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 5/9] Allow the system dbus to search cgroup directories
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
` (2 preceding siblings ...)
2012-12-05 22:03 ` [refpolicy] [PATCH 4/9] Add proper label for colord daemon in debian Laurent Bigonville
@ 2012-12-05 22:03 ` Laurent Bigonville
2012-12-06 15:42 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 6/9] Ensure that consolekit can create /var/run/console directory on Debian Laurent Bigonville
` (4 subsequent siblings)
8 siblings, 1 reply; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:03 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
When compiling with systemd support, dbus is looking at the available
cgroups to try to figure out if the system has booted using systemd
---
dbus.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/dbus.te b/dbus.te
index 586c97f..b9d84e7 100644
--- a/dbus.te
+++ b/dbus.te
@@ -101,6 +101,7 @@ files_read_usr_files(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
+fs_search_cgroup_dirs(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)
mls_fd_use_all_levels(system_dbusd_t)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 6/9] Ensure that consolekit can create /var/run/console directory on Debian
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
` (3 preceding siblings ...)
2012-12-05 22:03 ` [refpolicy] [PATCH 5/9] Allow the system dbus to search cgroup directories Laurent Bigonville
@ 2012-12-05 22:03 ` Laurent Bigonville
2012-12-05 22:13 ` grift
2012-12-09 13:14 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 7/9] Allow virtd_t context to read sysctl_crypto_t Laurent Bigonville
` (3 subsequent siblings)
8 siblings, 2 replies; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:03 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
consolekit.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/consolekit.te b/consolekit.te
index 1ca336f..6cfaee6 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -87,6 +87,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files(consolekit_t)
')
+ifdef(`distro_debian',`
+ auth_create_pam_console_data_dirs(consolekit_t)
+ auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+')
+
optional_policy(`
dbus_system_domain(consolekit_t, consolekit_exec_t)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 7/9] Allow virtd_t context to read sysctl_crypto_t
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
` (4 preceding siblings ...)
2012-12-05 22:03 ` [refpolicy] [PATCH 6/9] Ensure that consolekit can create /var/run/console directory on Debian Laurent Bigonville
@ 2012-12-05 22:03 ` Laurent Bigonville
2012-12-06 15:44 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 8/9] Allow colord_t " Laurent Bigonville
` (2 subsequent siblings)
8 siblings, 1 reply; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:03 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/virt.te b/virt.te
index 49c9f17..00676eb 100644
--- a/virt.te
+++ b/virt.te
@@ -504,6 +504,7 @@ stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
can_exec(virtd_t, virt_tmp_t)
+kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 8/9] Allow colord_t context to read sysctl_crypto_t
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
` (5 preceding siblings ...)
2012-12-05 22:03 ` [refpolicy] [PATCH 7/9] Allow virtd_t context to read sysctl_crypto_t Laurent Bigonville
@ 2012-12-05 22:03 ` Laurent Bigonville
2012-12-06 15:45 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 9/9] Add proper label for gconfd-2 daemon in Debian Laurent Bigonville
2012-12-06 15:39 ` [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts grift
8 siblings, 1 reply; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:03 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
colord.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/colord.te b/colord.te
index 189ef9e..2daf284 100644
--- a/colord.te
+++ b/colord.te
@@ -43,6 +43,7 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
+kernel_read_crypto_sysctls(colord_t)
kernel_read_device_sysctls(colord_t)
kernel_read_network_state(colord_t)
kernel_read_system_state(colord_t)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 9/9] Add proper label for gconfd-2 daemon in Debian
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
` (6 preceding siblings ...)
2012-12-05 22:03 ` [refpolicy] [PATCH 8/9] Allow colord_t " Laurent Bigonville
@ 2012-12-05 22:03 ` Laurent Bigonville
2012-12-05 22:06 ` grift
2012-12-06 15:39 ` [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts grift
8 siblings, 1 reply; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:03 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Gconfd-2 daemon in debian installed in /usr/lib/<triplet>/colord/
---
gnome.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnome.fc b/gnome.fc
index b44275d..93596e2 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -11,4 +11,5 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/lib/.*\-.*\-.*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 9/9] Add proper label for gconfd-2 daemon in Debian
2012-12-05 22:03 ` [refpolicy] [PATCH 9/9] Add proper label for gconfd-2 daemon in Debian Laurent Bigonville
@ 2012-12-05 22:06 ` grift
2012-12-05 22:52 ` [refpolicy] [PATCH 9/9 v2] " Laurent Bigonville
0 siblings, 1 reply; 21+ messages in thread
From: grift @ 2012-12-05 22:06 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Gconfd-2 daemon in debian installed in /usr/lib/<triplet>/colord/
colord?!
> ---
> gnome.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/gnome.fc b/gnome.fc
> index b44275d..93596e2 100644
> --- a/gnome.fc
> +++ b/gnome.fc
> @@ -11,4 +11,5 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
>
> /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
>
> +/usr/lib/.*\-.*\-.*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
Is this the most optimal regular expression? It looks a bit unnatural
> /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 6/9] Ensure that consolekit can create /var/run/console directory on Debian
2012-12-05 22:03 ` [refpolicy] [PATCH 6/9] Ensure that consolekit can create /var/run/console directory on Debian Laurent Bigonville
@ 2012-12-05 22:13 ` grift
2012-12-09 13:14 ` grift
1 sibling, 0 replies; 21+ messages in thread
From: grift @ 2012-12-05 22:13 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
> consolekit.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/consolekit.te b/consolekit.te
> index 1ca336f..6cfaee6 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -87,6 +87,11 @@ tunable_policy(`use_samba_home_dirs',`
> fs_read_cifs_files(consolekit_t)
> ')
>
> +ifdef(`distro_debian',`
> + auth_create_pam_console_data_dirs(consolekit_t)
> + auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
> +')
> +
> optional_policy(`
> dbus_system_domain(consolekit_t, consolekit_exec_t)
>
I will put this one in my "outstanding" folder since i need to wait for
those interfaces to become available in refpolicy
^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 9/9 v2] Add proper label for gconfd-2 daemon in Debian
2012-12-05 22:06 ` grift
@ 2012-12-05 22:52 ` Laurent Bigonville
2012-12-06 15:46 ` grift
0 siblings, 1 reply; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 22:52 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Gconfd-2 daemon in debian installed in /usr/lib/<triplet>/gconf/
---
gnome.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnome.fc b/gnome.fc
index b44275d..e39de43 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -11,4 +11,5 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 4/9 v2] Add proper label for colord daemon in debian
2012-12-05 22:03 ` [refpolicy] [PATCH 4/9] Add proper label for colord daemon in debian Laurent Bigonville
@ 2012-12-05 23:09 ` Laurent Bigonville
2012-12-06 15:41 ` grift
0 siblings, 1 reply; 21+ messages in thread
From: Laurent Bigonville @ 2012-12-05 23:09 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Colord daemons in debian are installed in /usr/lib/<triplet>/colord/
---
colord.fc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/colord.fc b/colord.fc
index 534db54..717ea0b 100644
--- a/colord.fc
+++ b/colord.fc
@@ -1,3 +1,6 @@
+/usr/lib/[^/]*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/[^/]*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
` (7 preceding siblings ...)
2012-12-05 22:03 ` [refpolicy] [PATCH 9/9] Add proper label for gconfd-2 daemon in Debian Laurent Bigonville
@ 2012-12-06 15:39 ` grift
8 siblings, 0 replies; 21+ messages in thread
From: grift @ 2012-12-06 15:39 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> In Debian, /var/run is a tmpfs, this means that the initscripts must
> recreate the needed directories during boot and they must be able to
> transition to the correct context.
This was merged, thanks
> ---
> cups.te | 1 +
> nut.te | 1 +
> pcscd.te | 1 +
> rpcbind.te | 1 +
> xen.te | 1 +
> 5 files changed, 5 insertions(+)
>
> diff --git a/cups.te b/cups.te
> index 069141c..c1d5b4b 100644
> --- a/cups.te
> +++ b/cups.te
> @@ -59,6 +59,7 @@ files_tmp_file(cupsd_tmp_t)
>
> type cupsd_var_run_t;
> files_pid_file(cupsd_var_run_t)
> +init_daemon_run_dir(cupsd_var_run_t, "cups")
> mls_trusted_object(cupsd_var_run_t)
>
> type hplip_t;
> diff --git a/nut.te b/nut.te
> index 81ee2c6..e525457 100644
> --- a/nut.te
> +++ b/nut.te
> @@ -27,6 +27,7 @@ init_script_file(nut_initrc_exec_t)
>
> type nut_var_run_t;
> files_pid_file(nut_var_run_t)
> +init_daemon_run_dir(nut_var_run_t, "nut")
>
> ########################################
> #
> diff --git a/pcscd.te b/pcscd.te
> index 802728d..4c85dd5 100644
> --- a/pcscd.te
> +++ b/pcscd.te
> @@ -14,6 +14,7 @@ init_script_file(pcscd_initrc_exec_t)
>
> type pcscd_var_run_t;
> files_pid_file(pcscd_var_run_t)
> +init_daemon_run_dir(pcscd_var_run_t, "pcscd")
>
> ########################################
> #
> diff --git a/rpcbind.te b/rpcbind.te
> index 8337482..b00c730 100644
> --- a/rpcbind.te
> +++ b/rpcbind.te
> @@ -14,6 +14,7 @@ init_script_file(rpcbind_initrc_exec_t)
>
> type rpcbind_var_run_t;
> files_pid_file(rpcbind_var_run_t)
> +init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
>
> type rpcbind_var_lib_t;
> files_type(rpcbind_var_lib_t)
> diff --git a/xen.te b/xen.te
> index 1c9a2f0..0ad5e4d 100644
> --- a/xen.te
> +++ b/xen.te
> @@ -105,6 +105,7 @@ logging_log_file(xenstored_var_log_t)
>
> type xenstored_var_run_t;
> files_pid_file(xenstored_var_run_t)
> +init_daemon_run_dir(xenstored_var_run_t, "xenstored")
>
> type xenconsoled_t;
> type xenconsoled_exec_t;
^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 3/9] Run packagekit under apt_t context on Debian distribution
2012-12-05 22:03 ` [refpolicy] [PATCH 3/9] Run packagekit under apt_t context on Debian distribution Laurent Bigonville
@ 2012-12-06 15:40 ` grift
0 siblings, 0 replies; 21+ messages in thread
From: grift @ 2012-12-06 15:40 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Properly label the daemon and the needed files and directories
>
> Also allow the daemon to transition to its own context when started by
> the system dbus
This was merged, thanks
> ---
> apt.fc | 3 +++
> apt.te | 4 ++++
> rpm.fc | 4 ++--
> 3 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/apt.fc b/apt.fc
> index 93d315c..1fd6888 100644
> --- a/apt.fc
> +++ b/apt.fc
> @@ -2,7 +2,10 @@ ifndef(`distro_redhat',`
> /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> ')
>
> /var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> diff --git a/apt.te b/apt.te
> index 5ffc8b8..aaa43cc 100644
> --- a/apt.te
> +++ b/apt.te
> @@ -125,6 +125,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dbus_system_domain(apt_t, apt_exec_t)
> +')
> +
> +optional_policy(`
> dpkg_read_db(apt_t)
> dpkg_domtrans(apt_t)
> dpkg_lock_db(apt_t)
> diff --git a/rpm.fc b/rpm.fc
> index e37a2d5..ebe91fc 100644
> --- a/rpm.fc
> +++ b/rpm.fc
> @@ -31,17 +31,17 @@ ifdef(`distro_redhat',`
> /usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
> /usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0)
> /usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
> +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
> +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> ')
>
> /usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
> /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
>
> /var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
> -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
> /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
>
> /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 4/9 v2] Add proper label for colord daemon in debian
2012-12-05 23:09 ` [refpolicy] [PATCH 4/9 v2] " Laurent Bigonville
@ 2012-12-06 15:41 ` grift
0 siblings, 0 replies; 21+ messages in thread
From: grift @ 2012-12-06 15:41 UTC (permalink / raw)
To: refpolicy
On Thu, 2012-12-06 at 00:09 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Colord daemons in debian are installed in /usr/lib/<triplet>/colord/
This was merged, thanks
> ---
> colord.fc | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/colord.fc b/colord.fc
> index 534db54..717ea0b 100644
> --- a/colord.fc
> +++ b/colord.fc
> @@ -1,3 +1,6 @@
> +/usr/lib/[^/]*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
> +/usr/lib/[^/]*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
> +
> /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
> /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
>
^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 5/9] Allow the system dbus to search cgroup directories
2012-12-05 22:03 ` [refpolicy] [PATCH 5/9] Allow the system dbus to search cgroup directories Laurent Bigonville
@ 2012-12-06 15:42 ` grift
0 siblings, 0 replies; 21+ messages in thread
From: grift @ 2012-12-06 15:42 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> When compiling with systemd support, dbus is looking at the available
> cgroups to try to figure out if the system has booted using systemd
This was merged, thanks
> ---
> dbus.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/dbus.te b/dbus.te
> index 586c97f..b9d84e7 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -101,6 +101,7 @@ files_read_usr_files(system_dbusd_t)
> fs_getattr_all_fs(system_dbusd_t)
> fs_list_inotifyfs(system_dbusd_t)
> fs_search_auto_mountpoints(system_dbusd_t)
> +fs_search_cgroup_dirs(system_dbusd_t)
> fs_dontaudit_list_nfs(system_dbusd_t)
>
> mls_fd_use_all_levels(system_dbusd_t)
^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 7/9] Allow virtd_t context to read sysctl_crypto_t
2012-12-05 22:03 ` [refpolicy] [PATCH 7/9] Allow virtd_t context to read sysctl_crypto_t Laurent Bigonville
@ 2012-12-06 15:44 ` grift
0 siblings, 0 replies; 21+ messages in thread
From: grift @ 2012-12-06 15:44 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
This was merged, thanks
> ---
> virt.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/virt.te b/virt.te
> index 49c9f17..00676eb 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -504,6 +504,7 @@ stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
>
> can_exec(virtd_t, virt_tmp_t)
>
> +kernel_read_crypto_sysctls(virtd_t)
> kernel_read_system_state(virtd_t)
> kernel_read_network_state(virtd_t)
> kernel_rw_net_sysctls(virtd_t)
^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 8/9] Allow colord_t context to read sysctl_crypto_t
2012-12-05 22:03 ` [refpolicy] [PATCH 8/9] Allow colord_t " Laurent Bigonville
@ 2012-12-06 15:45 ` grift
0 siblings, 0 replies; 21+ messages in thread
From: grift @ 2012-12-06 15:45 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
This was merged, thanks
>
> ---
> colord.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/colord.te b/colord.te
> index 189ef9e..2daf284 100644
> --- a/colord.te
> +++ b/colord.te
> @@ -43,6 +43,7 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
> manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
> files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
>
> +kernel_read_crypto_sysctls(colord_t)
> kernel_read_device_sysctls(colord_t)
> kernel_read_network_state(colord_t)
> kernel_read_system_state(colord_t)
^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 9/9 v2] Add proper label for gconfd-2 daemon in Debian
2012-12-05 22:52 ` [refpolicy] [PATCH 9/9 v2] " Laurent Bigonville
@ 2012-12-06 15:46 ` grift
0 siblings, 0 replies; 21+ messages in thread
From: grift @ 2012-12-06 15:46 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-12-05 at 23:52 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Gconfd-2 daemon in debian installed in /usr/lib/<triplet>/gconf/
This was merged, thanks
> ---
> gnome.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/gnome.fc b/gnome.fc
> index b44275d..e39de43 100644
> --- a/gnome.fc
> +++ b/gnome.fc
> @@ -11,4 +11,5 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
>
> /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
>
> +/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH 6/9] Ensure that consolekit can create /var/run/console directory on Debian
2012-12-05 22:03 ` [refpolicy] [PATCH 6/9] Ensure that consolekit can create /var/run/console directory on Debian Laurent Bigonville
2012-12-05 22:13 ` grift
@ 2012-12-09 13:14 ` grift
1 sibling, 0 replies; 21+ messages in thread
From: grift @ 2012-12-09 13:14 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
This was merged, thanks
>
> ---
> consolekit.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/consolekit.te b/consolekit.te
> index 1ca336f..6cfaee6 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -87,6 +87,11 @@ tunable_policy(`use_samba_home_dirs',`
> fs_read_cifs_files(consolekit_t)
> ')
>
> +ifdef(`distro_debian',`
> + auth_create_pam_console_data_dirs(consolekit_t)
> + auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
> +')
> +
> optional_policy(`
> dbus_system_domain(consolekit_t, consolekit_exec_t)
>
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2012-12-09 13:14 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-05 22:03 [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts Laurent Bigonville
2012-12-05 22:03 ` [refpolicy] [PATCH 2/9] rpcbind.te: Add named file transition for pidfile created by initscript Laurent Bigonville
2012-12-05 22:03 ` [refpolicy] [PATCH 3/9] Run packagekit under apt_t context on Debian distribution Laurent Bigonville
2012-12-06 15:40 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 4/9] Add proper label for colord daemon in debian Laurent Bigonville
2012-12-05 23:09 ` [refpolicy] [PATCH 4/9 v2] " Laurent Bigonville
2012-12-06 15:41 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 5/9] Allow the system dbus to search cgroup directories Laurent Bigonville
2012-12-06 15:42 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 6/9] Ensure that consolekit can create /var/run/console directory on Debian Laurent Bigonville
2012-12-05 22:13 ` grift
2012-12-09 13:14 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 7/9] Allow virtd_t context to read sysctl_crypto_t Laurent Bigonville
2012-12-06 15:44 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 8/9] Allow colord_t " Laurent Bigonville
2012-12-06 15:45 ` grift
2012-12-05 22:03 ` [refpolicy] [PATCH 9/9] Add proper label for gconfd-2 daemon in Debian Laurent Bigonville
2012-12-05 22:06 ` grift
2012-12-05 22:52 ` [refpolicy] [PATCH 9/9 v2] " Laurent Bigonville
2012-12-06 15:46 ` grift
2012-12-06 15:39 ` [refpolicy] [PATCH 1/9] Add several named transition for directories created in /var/run by initscripts grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.