From: Laurent Bigonville <[email protected]>
In Debian, /var/run is a tmpfs, this means that the initscripts must
recreate the needed directories during boot and they must be able to
transition to the correct context.
---
cups.te | 1 +
nut.te | 1 +
pcscd.te | 1 +
rpcbind.te | 1 +
xen.te | 1 +
5 files changed, 5 insertions(+)
diff --git a/cups.te b/cups.te
index 069141c..c1d5b4b 100644
--- a/cups.te
+++ b/cups.te
@@ -59,6 +59,7 @@ files_tmp_file(cupsd_tmp_t)
type cupsd_var_run_t;
files_pid_file(cupsd_var_run_t)
+init_daemon_run_dir(cupsd_var_run_t, "cups")
mls_trusted_object(cupsd_var_run_t)
type hplip_t;
diff --git a/nut.te b/nut.te
index 81ee2c6..e525457 100644
--- a/nut.te
+++ b/nut.te
@@ -27,6 +27,7 @@ init_script_file(nut_initrc_exec_t)
type nut_var_run_t;
files_pid_file(nut_var_run_t)
+init_daemon_run_dir(nut_var_run_t, "nut")
########################################
#
diff --git a/pcscd.te b/pcscd.te
index 802728d..4c85dd5 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -14,6 +14,7 @@ init_script_file(pcscd_initrc_exec_t)
type pcscd_var_run_t;
files_pid_file(pcscd_var_run_t)
+init_daemon_run_dir(pcscd_var_run_t, "pcscd")
########################################
#
diff --git a/rpcbind.te b/rpcbind.te
index 8337482..b00c730 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -14,6 +14,7 @@ init_script_file(rpcbind_initrc_exec_t)
type rpcbind_var_run_t;
files_pid_file(rpcbind_var_run_t)
+init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
type rpcbind_var_lib_t;
files_type(rpcbind_var_lib_t)
diff --git a/xen.te b/xen.te
index 1c9a2f0..0ad5e4d 100644
--- a/xen.te
+++ b/xen.te
@@ -105,6 +105,7 @@ logging_log_file(xenstored_var_log_t)
type xenstored_var_run_t;
files_pid_file(xenstored_var_run_t)
+init_daemon_run_dir(xenstored_var_run_t, "xenstored")
type xenconsoled_t;
type xenconsoled_exec_t;
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
rpcbind.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/rpcbind.te b/rpcbind.te
index b00c730..56145c9 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -15,6 +15,7 @@ init_script_file(rpcbind_initrc_exec_t)
type rpcbind_var_run_t;
files_pid_file(rpcbind_var_run_t)
init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
+init_daemon_run_file(rpcbind_var_run_t, "rpcbind.pid")
type rpcbind_var_lib_t;
files_type(rpcbind_var_lib_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
Properly label the daemon and the needed files and directories
Also allow the daemon to transition to its own context when started by
the system dbus
---
apt.fc | 3 +++
apt.te | 4 ++++
rpm.fc | 4 ++--
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/apt.fc b/apt.fc
index 93d315c..1fd6888 100644
--- a/apt.fc
+++ b/apt.fc
@@ -2,7 +2,10 @@ ifndef(`distro_redhat',`
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
')
/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
diff --git a/apt.te b/apt.te
index 5ffc8b8..aaa43cc 100644
--- a/apt.te
+++ b/apt.te
@@ -125,6 +125,10 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_domain(apt_t, apt_exec_t)
+')
+
+optional_policy(`
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
dpkg_lock_db(apt_t)
diff --git a/rpm.fc b/rpm.fc
index e37a2d5..ebe91fc 100644
--- a/rpm.fc
+++ b/rpm.fc
@@ -31,17 +31,17 @@ ifdef(`distro_redhat',`
/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
')
/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
Colord daemons in debian are installed in /usr/lib/<triplet>/colord/
---
colord.fc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/colord.fc b/colord.fc
index 534db54..c185ca9 100644
--- a/colord.fc
+++ b/colord.fc
@@ -1,3 +1,6 @@
+/usr/lib/.*\-.*\-.*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/.*\-.*\-.*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
When compiling with systemd support, dbus is looking at the available
cgroups to try to figure out if the system has booted using systemd
---
dbus.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/dbus.te b/dbus.te
index 586c97f..b9d84e7 100644
--- a/dbus.te
+++ b/dbus.te
@@ -101,6 +101,7 @@ files_read_usr_files(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
+fs_search_cgroup_dirs(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)
mls_fd_use_all_levels(system_dbusd_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
consolekit.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/consolekit.te b/consolekit.te
index 1ca336f..6cfaee6 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -87,6 +87,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files(consolekit_t)
')
+ifdef(`distro_debian',`
+ auth_create_pam_console_data_dirs(consolekit_t)
+ auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+')
+
optional_policy(`
dbus_system_domain(consolekit_t, consolekit_exec_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/virt.te b/virt.te
index 49c9f17..00676eb 100644
--- a/virt.te
+++ b/virt.te
@@ -504,6 +504,7 @@ stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
can_exec(virtd_t, virt_tmp_t)
+kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
colord.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/colord.te b/colord.te
index 189ef9e..2daf284 100644
--- a/colord.te
+++ b/colord.te
@@ -43,6 +43,7 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
+kernel_read_crypto_sysctls(colord_t)
kernel_read_device_sysctls(colord_t)
kernel_read_network_state(colord_t)
kernel_read_system_state(colord_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
Gconfd-2 daemon in debian installed in /usr/lib/<triplet>/colord/
---
gnome.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnome.fc b/gnome.fc
index b44275d..93596e2 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -11,4 +11,5 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/lib/.*\-.*\-.*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
--
1.7.10.4
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Gconfd-2 daemon in debian installed in /usr/lib/<triplet>/colord/
colord?!
> ---
> gnome.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/gnome.fc b/gnome.fc
> index b44275d..93596e2 100644
> --- a/gnome.fc
> +++ b/gnome.fc
> @@ -11,4 +11,5 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
>
> /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
>
> +/usr/lib/.*\-.*\-.*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
Is this the most optimal regular expression? It looks a bit unnatural
> /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> consolekit.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/consolekit.te b/consolekit.te
> index 1ca336f..6cfaee6 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -87,6 +87,11 @@ tunable_policy(`use_samba_home_dirs',`
> fs_read_cifs_files(consolekit_t)
> ')
>
> +ifdef(`distro_debian',`
> + auth_create_pam_console_data_dirs(consolekit_t)
> + auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
> +')
> +
> optional_policy(`
> dbus_system_domain(consolekit_t, consolekit_exec_t)
>
I will put this one in my "outstanding" folder since i need to wait for
those interfaces to become available in refpolicy
From: Laurent Bigonville <[email protected]>
Gconfd-2 daemon in debian installed in /usr/lib/<triplet>/gconf/
---
gnome.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnome.fc b/gnome.fc
index b44275d..e39de43 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -11,4 +11,5 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
Colord daemons in debian are installed in /usr/lib/<triplet>/colord/
---
colord.fc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/colord.fc b/colord.fc
index 534db54..717ea0b 100644
--- a/colord.fc
+++ b/colord.fc
@@ -1,3 +1,6 @@
+/usr/lib/[^/]*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/[^/]*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
--
1.7.10.4
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> In Debian, /var/run is a tmpfs, this means that the initscripts must
> recreate the needed directories during boot and they must be able to
> transition to the correct context.
This was merged, thanks
> ---
> cups.te | 1 +
> nut.te | 1 +
> pcscd.te | 1 +
> rpcbind.te | 1 +
> xen.te | 1 +
> 5 files changed, 5 insertions(+)
>
> diff --git a/cups.te b/cups.te
> index 069141c..c1d5b4b 100644
> --- a/cups.te
> +++ b/cups.te
> @@ -59,6 +59,7 @@ files_tmp_file(cupsd_tmp_t)
>
> type cupsd_var_run_t;
> files_pid_file(cupsd_var_run_t)
> +init_daemon_run_dir(cupsd_var_run_t, "cups")
> mls_trusted_object(cupsd_var_run_t)
>
> type hplip_t;
> diff --git a/nut.te b/nut.te
> index 81ee2c6..e525457 100644
> --- a/nut.te
> +++ b/nut.te
> @@ -27,6 +27,7 @@ init_script_file(nut_initrc_exec_t)
>
> type nut_var_run_t;
> files_pid_file(nut_var_run_t)
> +init_daemon_run_dir(nut_var_run_t, "nut")
>
> ########################################
> #
> diff --git a/pcscd.te b/pcscd.te
> index 802728d..4c85dd5 100644
> --- a/pcscd.te
> +++ b/pcscd.te
> @@ -14,6 +14,7 @@ init_script_file(pcscd_initrc_exec_t)
>
> type pcscd_var_run_t;
> files_pid_file(pcscd_var_run_t)
> +init_daemon_run_dir(pcscd_var_run_t, "pcscd")
>
> ########################################
> #
> diff --git a/rpcbind.te b/rpcbind.te
> index 8337482..b00c730 100644
> --- a/rpcbind.te
> +++ b/rpcbind.te
> @@ -14,6 +14,7 @@ init_script_file(rpcbind_initrc_exec_t)
>
> type rpcbind_var_run_t;
> files_pid_file(rpcbind_var_run_t)
> +init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
>
> type rpcbind_var_lib_t;
> files_type(rpcbind_var_lib_t)
> diff --git a/xen.te b/xen.te
> index 1c9a2f0..0ad5e4d 100644
> --- a/xen.te
> +++ b/xen.te
> @@ -105,6 +105,7 @@ logging_log_file(xenstored_var_log_t)
>
> type xenstored_var_run_t;
> files_pid_file(xenstored_var_run_t)
> +init_daemon_run_dir(xenstored_var_run_t, "xenstored")
>
> type xenconsoled_t;
> type xenconsoled_exec_t;
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Properly label the daemon and the needed files and directories
>
> Also allow the daemon to transition to its own context when started by
> the system dbus
This was merged, thanks
> ---
> apt.fc | 3 +++
> apt.te | 4 ++++
> rpm.fc | 4 ++--
> 3 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/apt.fc b/apt.fc
> index 93d315c..1fd6888 100644
> --- a/apt.fc
> +++ b/apt.fc
> @@ -2,7 +2,10 @@ ifndef(`distro_redhat',`
> /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> ')
>
> /var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> diff --git a/apt.te b/apt.te
> index 5ffc8b8..aaa43cc 100644
> --- a/apt.te
> +++ b/apt.te
> @@ -125,6 +125,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dbus_system_domain(apt_t, apt_exec_t)
> +')
> +
> +optional_policy(`
> dpkg_read_db(apt_t)
> dpkg_domtrans(apt_t)
> dpkg_lock_db(apt_t)
> diff --git a/rpm.fc b/rpm.fc
> index e37a2d5..ebe91fc 100644
> --- a/rpm.fc
> +++ b/rpm.fc
> @@ -31,17 +31,17 @@ ifdef(`distro_redhat',`
> /usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
> /usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0)
> /usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
> +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
> +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> ')
>
> /usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
> /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
>
> /var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
> -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
> /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
>
> /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
> /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
On Thu, 2012-12-06 at 00:09 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Colord daemons in debian are installed in /usr/lib/<triplet>/colord/
This was merged, thanks
> ---
> colord.fc | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/colord.fc b/colord.fc
> index 534db54..717ea0b 100644
> --- a/colord.fc
> +++ b/colord.fc
> @@ -1,3 +1,6 @@
> +/usr/lib/[^/]*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
> +/usr/lib/[^/]*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
> +
> /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
> /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
>
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> When compiling with systemd support, dbus is looking at the available
> cgroups to try to figure out if the system has booted using systemd
This was merged, thanks
> ---
> dbus.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/dbus.te b/dbus.te
> index 586c97f..b9d84e7 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -101,6 +101,7 @@ files_read_usr_files(system_dbusd_t)
> fs_getattr_all_fs(system_dbusd_t)
> fs_list_inotifyfs(system_dbusd_t)
> fs_search_auto_mountpoints(system_dbusd_t)
> +fs_search_cgroup_dirs(system_dbusd_t)
> fs_dontaudit_list_nfs(system_dbusd_t)
>
> mls_fd_use_all_levels(system_dbusd_t)
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
This was merged, thanks
> ---
> virt.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/virt.te b/virt.te
> index 49c9f17..00676eb 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -504,6 +504,7 @@ stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
>
> can_exec(virtd_t, virt_tmp_t)
>
> +kernel_read_crypto_sysctls(virtd_t)
> kernel_read_system_state(virtd_t)
> kernel_read_network_state(virtd_t)
> kernel_rw_net_sysctls(virtd_t)
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
This was merged, thanks
>
> ---
> colord.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/colord.te b/colord.te
> index 189ef9e..2daf284 100644
> --- a/colord.te
> +++ b/colord.te
> @@ -43,6 +43,7 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
> manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
> files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
>
> +kernel_read_crypto_sysctls(colord_t)
> kernel_read_device_sysctls(colord_t)
> kernel_read_network_state(colord_t)
> kernel_read_system_state(colord_t)
On Wed, 2012-12-05 at 23:52 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Gconfd-2 daemon in debian installed in /usr/lib/<triplet>/gconf/
This was merged, thanks
> ---
> gnome.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/gnome.fc b/gnome.fc
> index b44275d..e39de43 100644
> --- a/gnome.fc
> +++ b/gnome.fc
> @@ -11,4 +11,5 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
>
> /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
>
> +/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
On Wed, 2012-12-05 at 23:03 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
This was merged, thanks
>
> ---
> consolekit.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/consolekit.te b/consolekit.te
> index 1ca336f..6cfaee6 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -87,6 +87,11 @@ tunable_policy(`use_samba_home_dirs',`
> fs_read_cifs_files(consolekit_t)
> ')
>
> +ifdef(`distro_debian',`
> + auth_create_pam_console_data_dirs(consolekit_t)
> + auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
> +')
> +
> optional_policy(`
> dbus_system_domain(consolekit_t, consolekit_exec_t)
>