From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] RFC: patch to update git reference policy
Date: Thu, 20 Jan 2011 08:18:31 -0500 [thread overview]
Message-ID: <4D383627.60804@tresys.com> (raw)
In-Reply-To: <1295397630.3377.10.camel@tesla.lan>
On 01/18/11 19:40, Guido Trentalancia wrote:
> Hello,
>
> I have created a set of two patches to update the git reference policy
> to run on a generic modern Linux system.
>
> Most changes are relative to the dbus system (send_msg capability). Some
> interfaces and a few file contexts have also been added for convenience.
> In particular /sbin/upstart is now labelled correctly (many
> distributions nowadays link /sbin/init to /sbin/upstart to leave some
> choice, so it is necessary to label the latter appropriately).
>
> Please send your comments and feel free to test intensively. Thanks.
There are too many changes in this patch and the other. Can you
resubmit, breaking each logically separate change into a different patch?
> diff -pruN refpolicy-git-18012011/policy/modules/services/dbus.fc refpolicy-git-18012011-new/policy/modules/services/dbus.fc
> --- refpolicy-git-18012011/policy/modules/services/dbus.fc 2011-01-08 19:07:21.238740722 +0100
> +++ refpolicy-git-18012011-new/policy/modules/services/dbus.fc 2011-01-17 20:53:01.132703217 +0100
> @@ -1,11 +1,24 @@
> /etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
>
> /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> /lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +
> /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
> diff -pruN refpolicy-git-18012011/policy/modules/system/init.fc refpolicy-git-18012011-new/policy/modules/system/init.fc
> --- refpolicy-git-18012011/policy/modules/system/init.fc 2011-01-08 19:07:21.350758412 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/init.fc 2011-01-17 20:35:02.785918606 +0100
> @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
> # /sbin
> #
> /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> +# because nowadays, /sbin/init is often a symlink to /sbin/upstart
> +/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
>
> ifdef(`distro_gentoo', `
> /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te
> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>
> auth_dontaudit_read_shadow(readahead_t)
>
> +init_read_fifo_file(readahead_t)
> init_use_fds(readahead_t)
> init_use_script_ptys(readahead_t)
> init_getattr_initctl(readahead_t)
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if
> --- refpolicy-git-18012011/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if 2011-01-18 23:13:49.755846822 +0100
> @@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
>
> ########################################
> ## <summary>
> +## Allow mmap_file_perms on a shell
> +## executable.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corecmd_mmap_file_exec_shell',`
> + gen_require(`
> + type bin_t, shell_exec_t;
> + ')
> +
> + list_dirs_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> + allow $1 shell_exec_t:file mmap_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Execute shells in the caller domain.
> ## </summary>
> ## <desc>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if
> --- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100
> @@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
>
> ########################################
> ## <summary>
> +## Set the attributes of the /bin directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_setattr_bin_dirs',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir setattr;
> +')
> +
> +########################################
> +## <summary>
> +## Search the content of /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_search_bin',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of files in /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + getattr_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic files in /bin.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read generic
> +## files in /bin. These files are various program
> +## files that do not have more specific SELinux types.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`files_read_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir list_dir_perms;
> + read_files_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute generic programs in /bin in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir list_dir_perms;
> + exec_files_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read symbolic links in /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_bin_symlinks',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> ## Set the attributes of the /usr directory.
> ## </summary>
> ## <param name="domain">
> @@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
>
> ########################################
> ## <summary>
> -## Search the content of /etc.
> +## Search the content of /usr.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
> ')
>
> ########################################
> +## <summary>
> +## Get the attributes of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_var_log_dirs',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + getattr_dirs_pattern($1, var_t, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Search the /var/log directory.
> +## </summary>
> +## <desc>
> +## <p>
> +## Search the /var/log directory. This is
> +## necessary to access files or directories under
> +## /var/log that have a private type. For example, a
> +## domain accessing a private log file in the
> +## /var/log directory:
> +## </p>
> +## <p>
> +## allow mydomain_t mylogfile_t:file read_file_perms;
> +## files_search_var_log(mydomain_t)
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_search_var_log',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + search_dirs_pattern($1, var_t, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to search the
> +## contents of /var/log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_dontaudit_search_var_log',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + dontaudit $1 var_log_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## List the contents of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_list_var_log',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + list_dirs_pattern($1, var_t, var_log_t)
> +')
> +
> +###########################################
> +## <summary>
> +## Read-write /var/log directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_rw_var_log_dirs',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + rw_dirs_pattern($1, var_log_t, var_log_t)
> +')
> +
> +###########################################
> +## <summary>
> +## Append to files in the /var/log directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_var_log_append',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + append_files_pattern($1, var_log_t, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the /var/log directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="file_type">
> +## <summary>
> +## The type of the object to be created
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The object class.
> +## </summary>
> +## </param>
> +#
> +interface(`files_var_log_filetrans',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + allow $1 var_t:dir search_dir_perms;
> + filetrans_pattern($1, var_log_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic files in /var/log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_files',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + allow $1 var_log_t:dir list_dir_perms;
> + read_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic symbolic links in /var/log
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_symlinks',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')
> +
> +########################################
> ## <summary>
> ## Search the locks directory (/var/lock).
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if
> --- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if 2011-01-18 23:13:49.763847950 +0100
> @@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
>
> ########################################
> ## <summary>
> +## Allows to search the base
> +## directory of sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`kernel_search_sysctl',`
> + gen_require(`
> + type sysctl_t;
> + ')
> +
> + allow $1 sysctl_t:dir search;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts by caller to search
> ## the base directory of sysctls.
> ## </summary>
> @@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
> ')
>
> ########################################
> +## <summary>
> +## Allow caller to search filesystem sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_search_fs_sysctl',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_fs_t;
> + ')
> +
> + search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
> +')
> +
> +########################################
> ## <summary>
> ## Read filesystem sysctls.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if
> --- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if 2011-01-18 23:38:58.297498219 +0100
> @@ -75,6 +75,25 @@ interface(`avahi_signull',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to avahi.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`avahi_dbus_send',`
> + gen_require(`
> + type avahi_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 avahi_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## avahi over dbus.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te
> --- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te 2011-01-19 01:20:50.132124585 +0100
> @@ -104,9 +104,17 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ntp_dbus_send(avahi_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(avahi_t)
> ')
>
> optional_policy(`
> udev_read_db(avahi_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(avahi_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if
> --- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if 2011-01-18 23:13:49.767848514 +0100
> @@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## consolekit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`consolekit_dbus_send',`
> + gen_require(`
> + type consolekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 consolekit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## consolekit over dbus.
> ## </summary>
> @@ -93,5 +113,6 @@ interface(`consolekit_read_pid_files',`
> ')
>
> files_search_pids($1)
> + allow $1 consolekit_var_run_t:dir list_dir_perms;
> read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
> ')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te
> --- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te 2011-01-18 23:13:49.790851763 +0100
> @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
>
> # dac_override: /var/run/dbus is owned by messagebus on Debian
> # cjp: dac_override should probably go in a distro_debian
> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
> dontaudit system_dbusd_t self:capability sys_tty_config;
> allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
> allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
> @@ -115,9 +115,14 @@ corecmd_read_bin_sockets(system_dbusd_t)
> domain_use_interactive_fds(system_dbusd_t)
> domain_read_all_domains_state(system_dbusd_t)
>
> +files_search_default(system_dbusd_t)
> +files_read_default_files(system_dbusd_t)
> files_read_etc_files(system_dbusd_t)
> files_list_home(system_dbusd_t)
> -files_read_usr_files(system_dbusd_t)
> +files_exec_bin_files(system_dbusd_t)
> +files_exec_usr_files(system_dbusd_t)
> +files_read_var_lib_files(system_dbusd_t)
> +files_var_log_append(system_dbusd_t)
>
> init_use_fds(system_dbusd_t)
> init_use_script_ptys(system_dbusd_t)
> @@ -141,6 +146,24 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_read_pid_files(system_dbusd_t)
> + consolekit_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + devicekit_dbus_send_disk(system_dbusd_t)
> + devicekit_dbus_send_power(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + networkmanager_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + ntp_dbus_chat(system_dbusd_t)
> +')
> +
> +optional_policy(`
> policykit_dbus_chat(system_dbusd_t)
> policykit_domtrans_auth(system_dbusd_t)
> policykit_search_lib(system_dbusd_t)
> @@ -154,6 +177,10 @@ optional_policy(`
> udev_read_db(system_dbusd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_chat(system_dbusd_t)
> +')
> +
> ########################################
> #
> # Unconfined access to this module
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if
> --- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if 2011-01-18 23:13:49.791851900 +0100
> @@ -39,6 +39,25 @@ interface(`devicekit_dgram_send',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send',`
> + gen_require(`
> + type devicekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit over dbus.
> ## </summary>
> @@ -60,6 +79,25 @@ interface(`devicekit_dbus_chat',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit disk.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send_disk',`
> + gen_require(`
> + type devicekit_disk_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_disk_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit disk over dbus.
> ## </summary>
> @@ -99,6 +137,25 @@ interface(`devicekit_signal_power',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit power.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send_power',`
> + gen_require(`
> + type devicekit_power_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_power_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit power over dbus.
> ## </summary>
> @@ -183,3 +240,22 @@ interface(`devicekit_admin',`
> admin_pattern($1, devicekit_var_run_t)
> files_search_pids($1)
> ')
> +
> +########################################
> +## <summary>
> +## DeviceKit power getattr on APM
> +## bios character device node files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_getattr_apm_bios_files_power',`
> + gen_require(`
> + type apm_bios_t;
> + ')
> +
> + getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te
> --- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te 2011-01-18 23:13:49.792852039 +0100
> @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
> dev_read_urand(devicekit_t)
>
> files_read_etc_files(devicekit_t)
> +files_read_etc_runtime_files(devicekit_t)
>
> miscfiles_read_localization(devicekit_t)
>
> @@ -178,6 +179,10 @@ optional_policy(`
> virt_manage_images(devicekit_disk_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_disk_t)
> +')
> +
> ########################################
> #
> # DeviceKit-Power local policy
> @@ -193,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
> manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
> files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
>
> +kernel_search_fs_sysctl(devicekit_power_t)
> +kernel_rw_vm_sysctls(devicekit_power_t)
> kernel_read_network_state(devicekit_power_t)
> kernel_read_system_state(devicekit_power_t)
> kernel_rw_hotplug_sysctls(devicekit_power_t)
> kernel_rw_kernel_sysctl(devicekit_power_t)
> kernel_search_debugfs(devicekit_power_t)
> kernel_write_proc_files(devicekit_power_t)
> +kernel_setsched(devicekit_power_t)
>
> corecmd_exec_bin(devicekit_power_t)
> corecmd_exec_shell(devicekit_power_t)
> @@ -215,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
>
> files_read_kernel_img(devicekit_power_t)
> files_read_etc_files(devicekit_power_t)
> +files_rw_etc_runtime_files(devicekit_power_t)
> files_read_usr_files(devicekit_power_t)
>
> fs_list_inotifyfs(devicekit_power_t)
> +fs_remount_xattr_fs(devicekit_power_t)
>
> term_use_all_terms(devicekit_power_t)
>
> @@ -230,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
>
> userdom_read_all_users_state(devicekit_power_t)
>
> +devicekit_getattr_apm_bios_files_power(devicekit_power_t)
> +
> +mount_exec_getattr(devicekit_power_t)
> +mount_exec(devicekit_power_t)
> +
> optional_policy(`
> bootloader_domtrans(devicekit_power_t)
> ')
> @@ -276,9 +291,17 @@ optional_policy(`
> ')
>
> optional_policy(`
> + storage_raw_read_fixed_disk(devicekit_power_t)
> +')
> +
> +optional_policy(`
> udev_read_db(devicekit_power_t)
> ')
>
> optional_policy(`
> vbetool_domtrans(devicekit_power_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_power_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te
> --- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te 2011-01-18 23:13:49.794852319 +0100
> @@ -338,6 +338,10 @@ optional_policy(`
> virt_manage_images(hald_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(hald_t)
> +')
> +
> ########################################
> #
> # Hal acl local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if 2011-01-18 23:13:49.795852460 +0100
> @@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
>
> ########################################
> ## <summary>
> +## Send a dbus message to NetworkManager.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`networkmanager_dbus_send',`
> + gen_require(`
> + type NetworkManager_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 NetworkManager_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## NetworkManager over dbus.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te 2011-01-18 23:13:49.796852601 +0100
> @@ -140,6 +140,7 @@ seutil_read_config(NetworkManager_t)
> sysnet_domtrans_ifconfig(NetworkManager_t)
> sysnet_domtrans_dhcpc(NetworkManager_t)
> sysnet_signal_dhcpc(NetworkManager_t)
> +sysnet_read_dhcpc_state(NetworkManager_t)
> sysnet_read_dhcpc_pid(NetworkManager_t)
> sysnet_delete_dhcpc_pid(NetworkManager_t)
> sysnet_search_dhcp_state(NetworkManager_t)
> @@ -265,6 +266,10 @@ optional_policy(`
> vpn_signull(NetworkManager_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(NetworkManager_t)
> +')
> +
> ########################################
> #
> # wpa_cli local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if
> --- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if 2011-01-18 23:13:49.798852883 +0100
> @@ -163,3 +163,62 @@ interface(`ntp_admin',`
> files_list_pids($1)
> admin_pattern($1, ntpd_var_run_t)
> ')
> +
> +########################################
> +## <summary>
> +## Send a dbus message to ntpd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_send',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## ntpd over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_chat',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> + allow ntpd_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Connect to dbus using a unix domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_stream_connect',`
> + gen_require(`
> + type system_dbusd_t, system_dbusd_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
> +')
> Binary files refpolicy-git-18012011/policy/modules/services/.ntp.if.swp and refpolicy-git-18012011-minimum-update/policy/modules/services/.ntp.if.swp differ
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te
> --- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te 2011-01-18 23:40:27.459838030 +0100
> @@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
> userdom_list_user_home_dirs(ntpd_t)
>
> optional_policy(`
> + avahi_dbus_send(ntpd_t)
> +')
> +
> +optional_policy(`
> # for cron jobs
> cron_system_entry(ntpd_t, ntpdate_exec_t)
> ')
>
> optional_policy(`
> + ntp_dbus_stream_connect(ntpd_t)
> +')
> +
> +optional_policy(`
> gpsd_rw_shm(ntpd_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/plymouthd.te refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te
> --- refpolicy-git-18012011/policy/modules/services/plymouthd.te 2011-01-08 19:07:21.280747356 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te 2011-01-18 23:13:49.800853165 +0100
> @@ -29,7 +29,7 @@ files_pid_file(plymouthd_var_run_t)
>
> allow plymouthd_t self:capability { sys_admin sys_tty_config };
> dontaudit plymouthd_t self:capability dac_override;
> -allow plymouthd_t self:process signal;
> +allow plymouthd_t self:process { signal getsched };
> allow plymouthd_t self:fifo_file rw_fifo_file_perms;
> allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if 2011-01-18 23:13:49.801853306 +0100
> @@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## setroubleshoot.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`setroubleshoot_dbus_send',`
> + gen_require(`
> + type setroubleshootd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshootd_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## setroubleshoot over dbus.
> ## </summary>
> @@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## setroubleshoot fixit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`setroubleshoot_dbus_send_fixit',`
> + gen_require(`
> + type setroubleshoot_fixit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshoot_fixit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> -## setroubleshoot over dbus.
> +## setroubleshoot fixit over dbus.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te 2011-01-18 23:13:49.802853447 +0100
> @@ -125,12 +125,24 @@ optional_policy(`
> ')
>
> optional_policy(`
> + locate_read_lib_files(setroubleshootd_t)
> +')
> +
> +optional_policy(`
> + logging_dbus_send_dispatcher(setroubleshootd_t)
> +')
> +
> +optional_policy(`
> rpm_signull(setroubleshootd_t)
> rpm_read_db(setroubleshootd_t)
> rpm_dontaudit_manage_db(setroubleshootd_t)
> rpm_use_script_fds(setroubleshootd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(setroubleshootd_t)
> +')
> +
> ########################################
> #
> # setroubleshoot_fixit local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/smartmon.te refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te
> --- refpolicy-git-18012011/policy/modules/services/smartmon.te 2011-01-08 19:07:21.326754622 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te 2011-01-18 23:13:49.803853588 +0100
> @@ -73,6 +73,8 @@ files_read_etc_runtime_files(fsdaemon_t)
> # for config
> files_read_etc_files(fsdaemon_t)
>
> +files_read_usr_files(fsdaemon_t)
> +
> fs_getattr_all_fs(fsdaemon_t)
> fs_search_auto_mountpoints(fsdaemon_t)
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if
> --- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if 2011-01-18 23:13:49.804853729 +0100
> @@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Send a dbus message to xdm.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_xdm_dbus_send',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## xdm over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_xdm_dbus_chat',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> + allow xdm_t $1:dbus send_msg;
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te
> --- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te 2011-01-18 23:13:49.806854011 +0100
> @@ -508,6 +508,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + avahi_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> consolekit_dbus_chat(xdm_t)
> ')
>
> @@ -516,12 +520,21 @@ optional_policy(`
> ')
>
> optional_policy(`
> + devicekit_dbus_send_disk(xdm_t)
> + devicekit_dbus_send_power(xdm_t)
> +')
> +
> +optional_policy(`
> # Talk to the console mouse server.
> gpm_stream_connect(xdm_t)
> gpm_setattr_gpmctl(xdm_t)
> ')
>
> optional_policy(`
> + hal_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> hostname_exec(xdm_t)
> ')
>
> @@ -539,10 +552,18 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> resmgr_stream_connect(xdm_t)
> ')
>
> optional_policy(`
> + setroubleshoot_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(xdm_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/authlogin.te refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te
> --- refpolicy-git-18012011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te 2011-01-18 23:13:49.808854293 +0100
> @@ -91,6 +91,8 @@ files_list_etc(chkpwd_t)
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
>
> +kernel_search_sysctl(chkpwd_t)
> +
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> dev_read_rand(chkpwd_t)
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-minimum-update/policy/modules/system/init.if
> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/init.if 2011-01-18 23:13:49.809854434 +0100
> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>
> ########################################
> ## <summary>
> +## Read init fifo file.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_fifo_file',`
> + gen_require(`
> + attribute init_t;
> + ')
> +
> + read_fifo_files_pattern($1, init_t, init_t)
> +')
> +
> +########################################
> +## <summary>
> ## Ptrace init
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if
> --- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if 2011-01-18 23:13:49.812854857 +0100
> @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
>
> ########################################
> ## <summary>
> +## Send a dbus message to the audit
> +## dispatcher.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_dbus_send_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## the audit dispatcher over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_dbus_chat_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> + allow audisp_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Manage the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te
> --- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te 2011-01-18 23:13:49.813854998 +0100
> @@ -223,6 +223,8 @@ allow audisp_t self:unix_dgram_socket cr
>
> allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
>
> +allow audisp_t proc_t:file read_file_perms;
> +
> manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
> files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
>
> @@ -246,6 +248,10 @@ optional_policy(`
> dbus_system_bus_client(audisp_t)
> ')
>
> +optional_policy(`
> + setroubleshoot_dbus_send(audisp_t)
> +')
> +
> ########################################
> #
> # Audit remote logger local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if
> --- refpolicy-git-18012011/policy/modules/system/mount.if 2011-01-08 19:07:21.358759676 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if 2011-01-18 23:13:49.814855139 +0100
> @@ -51,6 +51,25 @@ interface(`mount_run',`
>
> ########################################
> ## <summary>
> +## Get the attributes of mount
> +## executable files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_exec_getattr',`
> + gen_require(`
> + type mount_exec_t;
> + ')
> +
> + allow $1 mount_exec_t:file getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Execute mount in the caller domain.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te
> --- refpolicy-git-18012011/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te 2011-01-19 01:01:20.531005215 +0100
> @@ -51,12 +51,17 @@ kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
> kernel_dontaudit_write_debugfs_dirs(mount_t)
> kernel_dontaudit_write_proc_dirs(mount_t)
> +kernel_setsched(mount_t)
> # To load binfmt_misc kernel module
> kernel_request_load_module(mount_t)
>
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
>
> +# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
> +# from initscripts
> +corecmd_mmap_file_exec_shell(mount_t)
> +
> dev_getattr_all_blk_files(mount_t)
> dev_list_all_dev_nodes(mount_t)
> dev_read_sysfs(mount_t)
> @@ -108,6 +113,8 @@ storage_raw_read_fixed_disk(mount_t)
> storage_raw_write_fixed_disk(mount_t)
> storage_raw_read_removable_device(mount_t)
> storage_raw_write_removable_device(mount_t)
> +# needed for example by ntfs-3g
> +storage_rw_fuse(mount_t)
>
> term_use_all_terms(mount_t)
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if
> --- refpolicy-git-18012011/policy/modules/system/sysnetwork.if 2011-01-08 19:07:21.362760308 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if 2011-01-18 23:13:49.817855562 +0100
> @@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',`
>
> ########################################
> ## <summary>
> +## Search dhcp client state directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_search_dhcpc_state',`
> + gen_require(`
> + type dhcpc_state_t;
> + ')
> +
> + search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read dhcp client state files.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.te refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te
> --- refpolicy-git-18012011/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te 2011-01-18 23:13:49.818855703 +0100
> @@ -325,6 +325,7 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> optional_policy(`
> + hal_read_pid_files(ifconfig_t)
> hal_dontaudit_rw_pipes(ifconfig_t)
> hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> ')
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2011-01-20 13:18 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-19 0:40 [refpolicy] RFC: patch to update git reference policy Guido Trentalancia
2011-01-20 13:18 ` Christopher J. PeBenito [this message]
2011-01-20 17:32 ` Guido Trentalancia
2011-01-21 12:37 ` Christopher J. PeBenito
2011-01-24 0:43 ` [refpolicy] [PATCH/RFC 0/19]: patch set to update the " Guido Trentalancia
2011-01-24 15:01 ` Dominick Grift
2011-01-24 15:56 ` Guido Trentalancia
2011-01-24 15:59 ` Dominick Grift
2011-01-24 21:01 ` Guido Trentalancia
2011-01-24 21:22 ` Dominick Grift
[not found] ` <4D471319.2000907@tresys.com>
2011-01-31 21:18 ` Guido Trentalancia
2011-02-02 23:52 ` Martin Orr
2011-02-03 0:04 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D383627.60804@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.