fixes from thomas bleher Fri, 24 Mar 2006 13:25:54 +0100

2006-03-24 16:48:35 +00:00 · 2006-03-24 16:48:35 +00:00 · 8b2d5ca6db
parent bb7170f673
commit 8b2d5ca6db
7 changed files with 22 additions and 4 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -1,3 +1,4 @@
+- Miscellaneous fixes from Thomas Bleher.
 - Deprecate module name as first parameter of optional_policy()
  now that optionals are allowed everywhere.
 - Enable optional blocks in base module and monolithic policy.
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@ -32,7 +32,8 @@ logging_log_file(cupsd_log_t)

 type cupsd_lpd_t;
 type cupsd_lpd_exec_t;
-inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+domain_type(cupsd_lpd_t)
+domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t)
 role system_r types cupsd_lpd_t;

 type cupsd_lpd_tmp_t;
@ -724,6 +725,10 @@ miscfiles_read_localization(cupsd_lpd_t)

 sysnet_read_config(cupsd_lpd_t)

+optional_policy(`
+	inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(cupsd_lpd_t)
 ')
--- a/refpolicy/policy/modules/services/postgresql.fc
+++ b/refpolicy/policy/modules/services/postgresql.fc
@ -14,6 +14,10 @@

 /usr/lib(64)?/postgresql/bin/.* --	gen_context(system_u:object_r:postgresql_exec_t,s0)

+ifdef(`distro_debian', `
+/usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
+
 ifdef(`distro_redhat', `
 /usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 ')
--- a/refpolicy/policy/modules/services/xfs.fc
+++ b/refpolicy/policy/modules/services/xfs.fc
@ -1,6 +1,7 @@

 /tmp/\.font-unix(/.*)?		gen_context(system_u:object_r:xfs_tmp_t,s0)

+/usr/bin/xfs		--	gen_context(system_u:object_r:xfs_exec_t,s0)
 /usr/bin/xfstt		--	gen_context(system_u:object_r:xfs_exec_t,s0)

 /usr/X11R6/bin/xfs	--	gen_context(system_u:object_r:xfs_exec_t,s0)
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@ -55,6 +55,9 @@ ifdef(`strict_policy',`
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth    	--      gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+ifdef(`distro_debian', `
+/usr/sbin/gdm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+')

 /usr/lib(64)?/qt-.*/etc/settings(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)

--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -380,8 +380,6 @@ seutil_read_config(initrc_t)

 sysnet_read_config(initrc_t)

-udev_rw_db(initrc_t)
-
 userdom_read_all_users_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the 
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
@ -708,6 +706,10 @@ optional_policy(`
 	sysnet_read_dhcpc_state(initrc_t)
 ')

+optional_policy(`
+	udev_rw_db(initrc_t)
+')
+
 optional_policy(`
 	uml_setattr_util_sockets(initrc_t)
 ')
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@ -395,7 +395,9 @@ ifdef(`distro_redhat', `
 ')

 ifdef(`hide_broken_symptoms',`
-	udev_dontaudit_rw_dgram_sockets(restorecon_t)
+	optional_policy(`
+		udev_dontaudit_rw_dgram_sockets(restorecon_t)
+	')
 ')

 optional_policy(`