From: Russell Coker <russell@coker.com.au>
To: SE Linux <selinux@tycho.nsa.gov>
Subject: policy to allow upgrade of nfs-utils
Date: Thu, 8 Jul 2004 13:19:05 +1000 [thread overview]
Message-ID: <200407081319.05138.russell@coker.com.au> (raw)
[-- Attachment #1: Type: text/plain, Size: 368 bytes --]
The attached policy patch is needed to allow nfs-utils to be upgraded to the
latest version on a rawhide system.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 1468 bytes --]
diff -ru policy/domains/program/unused/rpcd.te ./domains/program/unused/rpcd.te
--- policy/domains/program/unused/rpcd.te 2004-06-17 15:10:40.000000000 +1000
+++ ./domains/program/unused/rpcd.te 2004-07-08 13:15:55.000000000 +1000
@@ -51,6 +51,8 @@
ifdef(`rpm.te', `
allow rpcd_t self:capability { chown dac_override setgid setuid };
+# for /etc/rc.d/init.d/nfs to create /etc/exports
+allow initrc_t etc_t:file rw_file_perms;
')
allow rpcd_t self:file { getattr read };
diff -ru policy/domains/program/unused/rpm.te ./domains/program/unused/rpm.te
--- policy/domains/program/unused/rpm.te 2004-07-08 13:09:34.000000000 +1000
+++ ./domains/program/unused/rpm.te 2004-07-08 13:11:32.000000000 +1000
@@ -69,6 +69,9 @@
# for a bug in rm
dontaudit initrc_t pidfile:file write;
+# bash tries to access a block device in the initrd
+dontaudit initrc_t unlabeled_t:blk_file getattr;
+
# bash tries ioctl for some reason
dontaudit initrc_t pidfile:file ioctl;
@@ -93,7 +96,9 @@
allow rpm_t sysfs_t:filesystem getattr;
allow rpm_t tmpfs_t:filesystem getattr;
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-allow rpm_t fs_type:dir getattr;
+# needs rw permission to the directory for an rpm package that includes a mount
+# point
+allow rpm_t fs_type:dir { setattr rw_dir_perms };
allow rpm_t fs_type:filesystem getattr;
# allow compiling and loading new policy
next reply other threads:[~2004-07-08 3:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-08 3:19 Russell Coker [this message]
2004-07-08 13:14 ` policy to allow upgrade of nfs-utils Stephen Smalley
2004-07-09 12:52 ` Russell Coker
2004-07-09 16:53 ` Stephen Smalley
2004-07-11 9:04 ` Russell Coker
2004-07-12 12:58 ` Stephen Smalley
2004-07-12 13:02 ` Russell Coker
2004-07-12 13:32 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200407081319.05138.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.