From 8b2d5ca6db8728268b00f06bdab25549516d6159 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mar 24 2006 16:48:35 +0000 Subject: fixes from thomas bleher Fri, 24 Mar 2006 13:25:54 +0100 --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 2aa3642..33d8754 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Miscellaneous fixes from Thomas Bleher. - Deprecate module name as first parameter of optional_policy() now that optionals are allowed everywhere. - Enable optional blocks in base module and monolithic policy. diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index cc38a0c..0c5fe40 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -32,7 +32,8 @@ logging_log_file(cupsd_log_t) type cupsd_lpd_t; type cupsd_lpd_exec_t; -inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t) +domain_type(cupsd_lpd_t) +domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t) role system_r types cupsd_lpd_t; type cupsd_lpd_tmp_t; @@ -725,6 +726,10 @@ miscfiles_read_localization(cupsd_lpd_t) sysnet_read_config(cupsd_lpd_t) optional_policy(` + inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t) +') + +optional_policy(` nis_use_ypbind(cupsd_lpd_t) ') diff --git a/refpolicy/policy/modules/services/postgresql.fc b/refpolicy/policy/modules/services/postgresql.fc index 66acc36..a77d9eb 100644 --- a/refpolicy/policy/modules/services/postgresql.fc +++ b/refpolicy/policy/modules/services/postgresql.fc @@ -14,6 +14,10 @@ /usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) +ifdef(`distro_debian', ` +/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) +') + ifdef(`distro_redhat', ` /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) ') diff --git a/refpolicy/policy/modules/services/xfs.fc b/refpolicy/policy/modules/services/xfs.fc index e5d320e..8e70038 100644 --- a/refpolicy/policy/modules/services/xfs.fc +++ b/refpolicy/policy/modules/services/xfs.fc @@ -1,6 +1,7 @@ /tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) +/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) /usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0) /usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc index d0ba416..3d19691 100644 --- a/refpolicy/policy/modules/services/xserver.fc +++ b/refpolicy/policy/modules/services/xserver.fc @@ -55,6 +55,9 @@ ifdef(`strict_policy',` /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) +ifdef(`distro_debian', ` +/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0) +') /usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9ab09cc..1dc2d5a 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -380,8 +380,6 @@ seutil_read_config(initrc_t) sysnet_read_config(initrc_t) -udev_rw_db(initrc_t) - userdom_read_all_users_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such @@ -709,6 +707,10 @@ optional_policy(` ') optional_policy(` + udev_rw_db(initrc_t) +') + +optional_policy(` uml_setattr_util_sockets(initrc_t) ') diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 54a4013..632acdb 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -395,7 +395,9 @@ ifdef(`distro_redhat', ` ') ifdef(`hide_broken_symptoms',` - udev_dontaudit_rw_dgram_sockets(restorecon_t) + optional_policy(` + udev_dontaudit_rw_dgram_sockets(restorecon_t) + ') ') optional_policy(`