From fb52482a1f30f03973f6275b4ce22540d5d57a29 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Sep 25 2010 10:23:04 +0000 Subject: Allow firewallgui to sys_rawio which seems to be required to setup masqerading Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba. Add label for /var/log/slim.log --- diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te index 4da3d86..910a3f4 100644 --- a/policy/modules/apps/firewallgui.te +++ b/policy/modules/apps/firewallgui.te @@ -17,8 +17,7 @@ files_tmp_file(firewallgui_tmp_t) # firewallgui local policy # -allow firewallgui_t self:capability net_admin; - +allow firewallgui_t self:capability { net_admin sys_rawio } ; allow firewallgui_t self:fifo_file rw_fifo_file_perms; manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index d58ef64..5843cad 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -121,6 +121,9 @@ term_use_controlling_term(domain) # list the root directory files_list_root(domain) +# allow all domains to search through default_t directory, since users sometimes +# place labels within these directories. (samba_share_t) for example. +files_search_default(domain) # All executables should be able to search the directory they are in corecmd_search_bin(domain) diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 39c2bb3..6a160b2 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -106,6 +106,7 @@ ifdef(`distro_debian', ` /var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) /var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) /var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)