From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi) Date: Fri, 10 Dec 2010 18:22:35 -0500 Subject: [refpolicy] [PATCH] fedora14 Message-ID: <4D02B63B.4060305@tycho.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com A few patches to get refpolicy working on Fedora 14. You can pick and chose which ones are worth upstreaming. upstart is probably the most important. Signed-off-by: Paul Nuzzi --- policy/modules/roles/sysadm.te | 5 ++++- policy/modules/services/ssh.te | 1 + policy/modules/system/authlogin.te | 1 + policy/modules/system/init.fc | 1 + policy/modules/system/ipsec.te | 4 ++++ policy/modules/system/mount.te | 1 + 6 files changed, 12 insertions(+), 1 deletion(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index d5e88be..6b5949e 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,7 +24,7 @@ ifndef(`enable_mls',` # # Local policy # - +allow sysadm_t self:key_socket { read write }; corecmd_exec_shell(sysadm_t) mls_process_read_up(sysadm_t) @@ -34,6 +34,9 @@ ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) init_exec(sysadm_t) +init_stream_connect(sysadm_t) + +logging_send_audit_msgs(sysadm_t) # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 2dad3c8..12e6d69 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -238,6 +238,7 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) +kernel_read_crypto_sysctls(sshd_t) kernel_search_key(sshd_t) kernel_link_key(sshd_t) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 54d122b..25bfbd4 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -90,6 +90,7 @@ files_list_etc(chkpwd_t) # is_selinux_enabled kernel_read_system_state(chkpwd_t) +kernel_read_crypto_sysctls(chkpwd_t) domain_dontaudit_use_interactive_fds(chkpwd_t) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 9775375..a8f7989 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -25,6 +25,7 @@ ifdef(`distro_gentoo',` # /sbin # /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) +/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 44c32d5..0c8e6ac 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -161,6 +161,8 @@ auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) +kernel_read_crypto_sysctls(ipsec_t) + logging_send_syslog_msg(ipsec_t) miscfiles_read_localization(ipsec_t) @@ -376,6 +378,8 @@ auth_use_nsswitch(racoon_t) ipsec_setcontext_default_spd(racoon_t) +kernel_read_crypto_sysctls(racoon_t) + locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index fca6947..93818b1 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -52,6 +52,7 @@ kernel_dontaudit_getattr_core_if(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) +corecmd_exec_shell(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t)