From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 19 Jan 2011 17:34:39 +0100
Subject: [refpolicy] [RFC]: additional patch to update git reference policy
Message-ID: <1295454879.3902.8.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hello again !
A few hours ago I submitted a patch to update the git reference policy.
Now I am attaching a companion patch for review. It should be normally
applied after the first patch (minimum-update) has been applied.
This new patch (extra-1-update) aims to improve the support for
cpufreq-selector and for mount.
Please provide your comments or suggestions. Thanks.
Regards,
Guido
diff -pruN -x .git refpolicy-git-18012011-minimum-update/policy/modules/apps/cpufreqselector.if refpolicy-git-18012011-extra-1-update/policy/modules/apps/cpufreqselector.if
--- refpolicy-git-18012011-minimum-update/policy/modules/apps/cpufreqselector.if 2011-01-08 19:07:21.176730930 +0100
+++ refpolicy-git-18012011-extra-1-update/policy/modules/apps/cpufreqselector.if 2011-01-19 18:10:57.842204859 +0100
@@ -1 +1,42 @@
## Command-line CPU frequency settings.
+
+########################################
+##
+## Send a dbus message to
+## cpufreq-selector.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cpufreqselector_dbus_send',`
+ gen_require(`
+ type cpufreqselector_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cpufreqselector_t:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## cpufreq-selector over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cpufreqselector_dbus_chat',`
+ gen_require(`
+ type cpufreqselector_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cpufreqselector_t:dbus send_msg;
+ allow cpufreqselector_t $1:dbus send_msg;
+')
diff -pruN -x .git refpolicy-git-18012011-minimum-update/policy/modules/apps/cpufreqselector.te refpolicy-git-18012011-extra-1-update/policy/modules/apps/cpufreqselector.te
--- refpolicy-git-18012011-minimum-update/policy/modules/apps/cpufreqselector.te 2011-01-08 19:07:21.177731088 +0100
+++ refpolicy-git-18012011-extra-1-update/policy/modules/apps/cpufreqselector.te 2011-01-19 20:20:28.258032330 +0100
@@ -16,6 +16,7 @@ application_domain(cpufreqselector_t, cp
allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
files_read_etc_files(cpufreqselector_t)
files_read_usr_files(cpufreqselector_t)
@@ -24,6 +25,8 @@ corecmd_search_bin(cpufreqselector_t)
dev_rw_sysfs(cpufreqselector_t)
+kernel_read_system_state(cpufreqselector_t)
+
miscfiles_read_localization(cpufreqselector_t)
userdom_read_all_users_state(cpufreqselector_t)
@@ -50,3 +53,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(cpufreqselector_t)
+')
diff -pruN -x .git refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te refpolicy-git-18012011-extra-1-update/policy/modules/services/dbus.te
--- refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te 2011-01-18 23:13:49.790851763 +0100
+++ refpolicy-git-18012011-extra-1-update/policy/modules/services/dbus.te 2011-01-19 18:21:27.497950175 +0100
@@ -111,6 +111,8 @@ auth_read_pam_console_data(system_dbusd_
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
@@ -151,6 +153,10 @@ optional_policy(`
')
optional_policy(`
+ cpufreqselector_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
devicekit_dbus_send_disk(system_dbusd_t)
devicekit_dbus_send_power(system_dbusd_t)
')
diff -pruN -x .git refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te refpolicy-git-18012011-extra-1-update/policy/modules/services/plymouthd.te
--- refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te 2011-01-18 23:13:49.800853165 +0100
+++ refpolicy-git-18012011-extra-1-update/policy/modules/services/plymouthd.te 2011-01-19 10:41:28.980579243 +0100
@@ -64,6 +64,8 @@ miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
+term_use_unallocated_ttys(plymouthd_t)
+
########################################
#
# Plymouth private policy
diff -pruN -x .git refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te refpolicy-git-18012011-extra-1-update/policy/modules/services/xserver.te
--- refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te 2011-01-18 23:13:49.806854011 +0100
+++ refpolicy-git-18012011-extra-1-update/policy/modules/services/xserver.te 2011-01-19 18:13:04.079997058 +0100
@@ -520,6 +520,10 @@ optional_policy(`
')
optional_policy(`
+ cpufreqselector_dbus_send(xdm_t)
+')
+
+optional_policy(`
devicekit_dbus_send_disk(xdm_t)
devicekit_dbus_send_power(xdm_t)
')
diff -pruN -x .git refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te refpolicy-git-18012011-extra-1-update/policy/modules/system/mount.te
--- refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te 2011-01-19 01:01:20.531005215 +0100
+++ refpolicy-git-18012011-extra-1-update/policy/modules/system/mount.te 2011-01-19 16:23:36.086886975 +0100
@@ -37,6 +37,11 @@ application_domain(unconfined_mount_t, m
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+ifdef(`distro_redhat',`
+ # needed by /sbin/mount.tmpfs bash script
+ allow mount_t self:fifo_file rw_fifo_file_perms;
+')
+
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t mount_tmp_t:file manage_file_perms;
@@ -70,6 +75,7 @@ dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
+dev_read_usbfs(mount_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(mount_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5186 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110119/95421f20/attachment.bin