A few patches to get refpolicy working on Fedora 14. You can pick and chose which ones are worth
upstreaming. upstart is probably the most important.
Signed-off-by: Paul Nuzzi <[email protected]>
---
policy/modules/roles/sysadm.te | 5 ++++-
policy/modules/services/ssh.te | 1 +
policy/modules/system/authlogin.te | 1 +
policy/modules/system/init.fc | 1 +
policy/modules/system/ipsec.te | 4 ++++
policy/modules/system/mount.te | 1 +
6 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index d5e88be..6b5949e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,7 +24,7 @@ ifndef(`enable_mls',`
#
# Local policy
#
-
+allow sysadm_t self:key_socket { read write };
corecmd_exec_shell(sysadm_t)
mls_process_read_up(sysadm_t)
@@ -34,6 +34,9 @@ ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
+init_stream_connect(sysadm_t)
+
+logging_send_audit_msgs(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..12e6d69 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -238,6 +238,7 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+kernel_read_crypto_sysctls(sshd_t)
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 54d122b..25bfbd4 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -90,6 +90,7 @@ files_list_etc(chkpwd_t)
# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
+kernel_read_crypto_sysctls(chkpwd_t)
domain_dontaudit_use_interactive_fds(chkpwd_t)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 9775375..a8f7989 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -25,6 +25,7 @@ ifdef(`distro_gentoo',`
# /sbin
#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 44c32d5..0c8e6ac 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -161,6 +161,8 @@ auth_use_nsswitch(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
+kernel_read_crypto_sysctls(ipsec_t)
+
logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
@@ -376,6 +378,8 @@ auth_use_nsswitch(racoon_t)
ipsec_setcontext_default_spd(racoon_t)
+kernel_read_crypto_sysctls(racoon_t)
+
locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fca6947..93818b1 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -52,6 +52,7 @@ kernel_dontaudit_getattr_core_if(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
+corecmd_exec_shell(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)